Extreme Networks

AnonymousM · ‎08-10-2018

Not sure when this feature is visible through the Hivemanager GUI... can you elaborate a bit more on it, what exactly it is doing?

Changes to the traffic flow
How does it affect traffic within the same (B)SSID?
Does this mean that IP Firewall rules (on the AP) can now be applied to Multicast traffic?
Does this mean that Multicast traffic is not automatically sent as wireless broadcast traffic on the BSSID?
I am explicitly looking for a matrix should how this is affecting Multicast traffic flow for the following configurations:
- One SSID, same VLAN
- One SSID, different VLANs (e.g. via PPSK groups)
- Two SSID objects (2 different locations), same SSID broadcast name, same VLAN
- Two SSID objects (2 different locations), same SSID broadcast name, different VLANs

The last example from above is what we are currently using to mitigate Multicast (mDNS) traffic flooding our network. So I am wondering if "disabling Inter-SSID Flooding" would help, and if yes, what else would I have to configure?

IP Firewall rules on Access Points?
Firewall rules / ACLs on my infrastructure (Firewall & switches)?
Anything else?

Thanks,

carsten

samantha_lynn · ‎08-10-2018

To answer your questions-

Changes to the traffic flow

If this option is on, a client device that is connected to AP1 on SSID1 will not be able to pass traffic to another client device that is also connected to AP1 on SSID2. This setting only applies to traffic on one AP, between client devices connected to two different SSIDs on one AP, on the same radio. If this option is on, the multicast/broadcast traffic is instead moved to the backhaul interface, which can filter/pass on from there.

· How does it affect traffic within the same (B)SSID?

It won’t affect traffic within the same SSID, only other SSIDs.

· Does this mean that IP Firewall rules (on the AP) can now be applied to Multicast traffic?

This setting doesn’t use the firewall on the AP. Once the traffic is pushed to the backhaul interface a firewall on the LAN would interrogate the traffic.

· Does this mean that Multicast traffic is not automatically sent as wireless broadcast traffic on the BSSID?

This is a different function.

· I am explicitly looking for a matrix should how this is affecting Multicast traffic flow for the following configurations:

One SSID, same VLAN- This will not be affected by this setting, this setting only deals with Inter-SSID traffic.
One SSID, different VLANs (e.g. via PPSK groups)- This will not be affected either.
Two SSID objects (2 different locations), same SSID broadcast name, same VLAN- This will not be affected by this setting as these are two different objects and this setting is limited to traffic on one AP.
Two SSID objects (2 different locations), same SSID broadcast name, different VLANs- This will not be affected.

In general, multicast/broadcast issues are best dealt with via proper VLAN design. If you can provide more details on what issues you are running in to with multicast flooding and specifics on your topology, we might be able to help you. If you'd rather share these details with me directly, please feel free to email me at communityhelp@aerohive.com

View solution in original post

AnonymousM · ‎08-13-2018

Thanks a lot Sam! That indeed clarifies this setting and what it does.

And, as you already figured, it does not help me with the original issue: Multicast traffic generated by wireless Clients is being broadcasted to all clients on the same SSID (= same BSSID), even if the clients are on different VLANs (via PPSK groups).

This became a huge problem in some of our installations where 2 things happened in parallel:

Reducing SSID management overhead traffic by consolidating 3-5 SSIDs into one (by using PPSK groups)
Increase of Multicast traffic generated by clients, most notably mDNS from MacOS clients.

While minimizig the amount of SSIDs in a network is usually a good thing, with the management traffic overhead being reduced, in some cases it proved to be counter-productive. In environments with > 500 clients we saw a significant increase of Multicast traffic flooded to all Wifi clients, even when using different VLANs. It went as far as Multicast traffic being more than 50% of all Wifi traffic. It took a while to understand this happens because Multicasts are sent as Wifi Broadcasts, which are sent to all clients connected on the the BSSID, which is L2 and thus independent from the VLAN any client is inside.

We tried to fix it by applying Firewall policies on the APs, but as they are L3, they are not gripping.

I am aware that this situation is known to Aerohive, and I am being told that better Multicast handling is in development. Which is good... but until then, we are looking for workarounds to mitigate this behaviour.

The only workaround(*) that seems to help is to identify as many "independent locations" (= no wifi roaming between them), and configure each location with its dedicated SSID object (= same SSID broadcast name, but DIFFERENT BSSID), AND (important) with a dedicated VLAN for each user group as well.

Example:

Location A: SSID object "SCHOOL-A", SSID "SCHOOL"
- VLAN Students: 101
- VLAN Teachers: 201
Location B: SSID object "SCHOOL-B", SSID "SCHOOL"
- VLAN Students: 102
- VLAN Teachers: 202

(*) Of course "disabling inter-station traffic" fixes the issue, too. But we cannot always do it, as sometimes access to Wifi devices on the same network is required (printers, Apple-TVs, Chromecasts, ...).

The reason for my original post here was to find out, if this configuration option might help me to find a different / additional workaround. It is obviously not, so I will go ahead with my original plan (as per example) and wait for the proper solution by Aerohive 😉