Hi Mig,
Thanks for taking the time to look at this, its been extremely helpful and believe I have the detail I need now.
The network is vast and don’t have much detail on it, although it is inconsequential in this case. The sites are joined together at layer 3 but it does not matter as guest traffic is bridging out to a VLAN / Network and firewall that are completely independent of each other.
The DHCP scope was something I was aware of and do use, whether its right or wrong is up for question.
The way it works is because the two VLANs either the same or different ID’s are effectively not joined in anyway, they are just VLANs that go to two completely independent firewalls and circuits. This means they can be configured with the same subnet and not clash with one another.
The way it works is that you take one large scope, you split the allocation of addresses in half. One side provides address in one range (lower half), the other side does the same (higher half). The primary reason is that when the APs fail from one side to the other (whether 50/50 split or all home to one) the client can keep the same IP, it wont clash with anything on the controller, the DHCP scope keeps them separate. In addition if a client gets an IP when in failover, when it fails back it can keep it until lease runs-out and still work without clashing.
That way the failover is seamless, the device doesn’t need to re-ip and client carries on working without being aware of the fail-over. It isn’t completely fall-proof, but think it takes best advantage of the fact traffic has effectively moved to a completely different location and firewall.
What do you think, maybe not the best idea?
Cheers.
