Vlan Pooling

  • 2
  • Question
  • Updated 3 years ago
  • Answered
Is it possible to do VLAN pooling? In large deployments that use WPA2 PSK or open authentication, I need a way to offer lots of address on the same SSID but keep the broadcast domains to a minimum ( /23 at most). I don't want to place devices in different vlans based on OS, vendor MAC, or user credentials, I just need a simple setup that places connecting devices into VLANs based on round robin or MAC hash (no back-end management required). I have done this with Aruba and Cisco and it works very well.
Photo of Rob

Rob

  • 42 Posts
  • 5 Reply Likes

Posted 5 years ago

  • 2
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Hi Rob,

I would propose creating VLAN objects with a combination of Classifier tags. In this way you could build a configuration where a single User Profile would be mapped to multiple VLANs. Using the classifier tags you would assign different VLANs to the one User Profile based on device classifications (or that matter topology map).

Here is the example:

First create a User Profile (lets say a User Profile for Students) and create a VLAN object:



Then create multiple VLANs (that can be mapped to different networks using separate DHCP services). Feel free to be creative using Classifier tags, the example shows using Classifier tags as locations.



Alternatively you could use topology maps as an identifier:



To finish all you have to do is to either use the same Classifier tags values on the APs you want to assign those particular VLANs or assign the APs to topology maps.

What will happen then is when a Student device will associate to an AP tagged with a specific Classifier tag, it will get assigned to a specific VLAN.

This will give the same result than VLAN pooling feature WITHOUT having to tunnel the data plane to a controller to do that job for you :).

Have fun,

Gregor
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
With this setup, What VLAN should you set on the default authorisation user profile?

I am finding that with the Topology node when a user moves to another block which gets a different VLAN via Topology node it does not work, but if you change SSID temporarily it gets the right IP on the right VLAN in the correct subnet.

I have tried using default authorisation on a different VLAN, and on the same VLAN both not working in the way I hope. 
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Check further down this page, there's a discussion of GRE tunneling policies that should help the situation when a user roams to a different block.
Photo of Rob

Rob

  • 42 Posts
  • 5 Reply Likes
Awesome!

I like that the vlans can also be location based but this raises a few other questions for me.

Would I also need to enable layer 3 roaming if users are moving between AP's with different vlans but still using the same ssid and user profile as you depicted?

Can I have more then one vlan on the same SSID and user profile? If so, how do the clients choose which vlan to use?

I wish i could lab this up and play a little but at the moment my lab is out of commission.
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Hi Rob,

not only location based, objects can be tied to device classifiers that can be whatever you want them to be. Locations are just the easiest to understand.

The way VLANs are working is that the user will retain the same VLAN they've been assigned to as they associated to the network across roaming. Even if a particular location in "giving out" different VLANs, the originate VLAN assignment is kept.

So you don't have to set up L3 roaming unless you roaming between APs on different subnets.

Every User Profile is assigned to a VLAN object. And you can assign multiple VLANs per VLAN object. Assigning is done by the infrastructure not the end client device by the rules like classifier tags, location maps or hostnames.

Gregor
Photo of Neal Maxwell

Neal Maxwell

  • 8 Posts
  • 0 Reply Likes
Hi there

I am currently testing this exact setup in a pilot. At this stage we have 2 buildings and coverage doesn't extend from one building to the other, so when roaming, there is a short dip in connectivity.
When I connect to SSID in one building, I get placed in a VLAN and everything works fine. I then move to the other building, and when I reattach to the AP in the other building, I have no IP connectivity.

The difference in my setup is that the APs are in two separate management vlans and IP Networks. The SSID has different vlans for each building as well and different IP Networks for each VLAN.
In a normal situation where wifi coverage extends between both buildings, I would assume that with L3 roaming enabled, it would work, when roaming, by tunneling back through the original ap/VLAN I was assigned to.

Should this work if wifi coverage extends between both buildings or is there some other reason why this isn't working.
Photo of Neal Maxwell

Neal Maxwell

  • 8 Posts
  • 0 Reply Likes
Thanks so much for your assistance.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Ok things are becoming clearer

from the sounds of it, it sounds as if the credentials for the client are being cached on building 2 AP, thus the client connects to building 2 AP using the cached credentials from the association in building 1.

to test this
connect to building AP 1
then walk
while walking have someone ssh into building 2 AP 2 and clear any cached user auth info

You can use the
Show Auth command to see if AP 2 has cached user

and

#clear auth
local-cache Clear all entries from the local cache, which contains
authentication information for stations currently
connected to the local HiveAP
roaming-cache Clear all entries from the roaming cache, which contains
authentication information for stations currently
connected to neighboring hive members
station Clear authentication information for a specific station
username Clear dynamic authentication information by user name

The other thing might be the vlan assignment mechanism.

What sort of authentication are you using?
and How do you assign vlan information?

You may also want to try having 2 Network Policies
1 for building 1 and 1 for Building 2 and see if you get the same results
Photo of Neal Maxwell

Neal Maxwell

  • 8 Posts
  • 0 Reply Likes
Vlans are being assigned using device tags. We actually testing a few auth methods. We will be using 802.1x auth eap-tls which have tested. We will also be using private psk which we have also tested. From a ip vlan perspective all authentication scenarios behave the same.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hi Neal
Maybe try assigning vlans via the topology maps and see if you can get it to work.
Photo of Neal Maxwell

Neal Maxwell

  • 8 Posts
  • 0 Reply Likes
Hi Andrew
Thanks for your reply. The device tagging feature really works well. I have VLAN object for each SSID, with the relevant VLAN's with device tags and the AP's place you in the correct VLAN on initially connecting, but the problem comes in when moving to the other building.
I believe my answer is within this thread and that I may need to manually add L3 neighbour AP's because the AP's can't currently communicate with each other over the air.
I'll try it out on Monday and see how it goes.

Thanks again.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
I'm in a very similar situation, getting ready to change my configuration to different VLANs and ip pools assigned by device tags. All of my APs are on the same L2 management network, though, and that won't change, only the client VLANs will change per location. Do I need to specifically configure tunneling/L3 Roaming to make sure that clients moving from one location to another will not need to cycle their radios?
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Thanks for the quick reply. I've created a quick tunneling policy and applied it to each user profile. That's all that needs to be done to enable L3 routing? I don't particularly care about including or excluding specific devices.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
I believe that is all that is needed.

Cheers
A
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
My issue is similar to Neal's. I dont care for the roam just want them to be able to move blocks and associate with the SSID and gain the IP in the right scope automatically.

I have read much about the auth caching. Is there away we can set this to be cleared on a regular basis automatically?
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Why would you need to or want to clear the auth cache? Are the network credentials in the locations different? If so, you'll have much better luck with different SSID names. If not, check your DHCP server and make sure that your networks are properly separated so that the DHCP server properly NACKs requests for out-of-scope addresses.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
I was wondering this, as people have mentioned that its what should be done to check the roaming and when done so it works. So was wondering if it should be done regularly.

SSID and credentials remain the same at both locations, only VLAN changes but with PPSK we find that it wont automatically change IP when in the new block.

I have used wireshark, to sniff the packets for what is happening, and if we start fresh and connect to the SSID in any block, its fine. When the client moves to the another block it remains connected no worries, but no update of IP address on the new VLAN. 

Will check the DHCP as you mentioned.