M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

765zl: DHCP requests and IPv6 RAs NOT brigded with user-assigned VLANs and access-controlled VSC

 
Highlighted
HEKnet
Advisor

765zl: DHCP requests and IPv6 RAs NOT brigded with user-assigned VLANs and access-controlled VSC

Hello,

 

I try to use an access-controlled VSC with user-assigned VLANs via RADIUS. If I statically configure the network settings on my wireless clients, the traffic flows as expected, but if I try to use DHCPv4 and/or IPv6 SLAAC the requests from the clients are not brigded to the wired network. So at the moment I assume that these "special" network packages are somewhere intercepted at the controller and discarded.

 

Here is my detailed setup:

 

1) One 5412zl switch with L3 routing enabled. There is

a) one VLAN for each user (IDs 1xyz),

b) one VLAN to manage all network components ("netcomponents", ID 3)

c) one VLAN "MyWLAN" (ID 8) to carry wireless user traffic between the APs and the controller

and some more. The switch has one IP adress for each VLAN and does all the routing.

 

2) One 765zl controller in slot A. Internet port is disabled (port A1), LAN port is enabled (port A2) and is an untagged member of VLAN 3 ("netcomponent"). Moreover A2 is tagged member of VLAN 8 ("MyWLAN")

 

3) Serveral access points (MSM 430) that are connected to the 5412zl. The ports are untagged member in VLAN 3 ("netcomponent") and tagged member of VLAN 8 ("MyWLAN").

 

4) An DHCP server connected to the 5412zl. The 5412zl works as an DHCP relay agent and forwards all requests to the DHCP server. The DHCP server delivers addresses for each user VLAN (ID 1xyz) and for all other VLANS, too. For example for the VLAN "netcompoments" (ID 3).

 


This is what I would like to do:

 

The APs and the controller use VLAN 3 ("netcomponents") as their "native" VLAN in untagged mode, to obtain IP addresses from the external DHCP server for themselves, to do device dicsovery and to carry all other management traffic. (This part works perfectly.)

 

The APs use VLAN 8 ("MyWLAN") as the egress VLAN for all wireless user traffic.

 

The controller receives the wireless user traffic via VLAN 8 (ingress VLAN), looks up the corresponding user session and egress the traffic via the user-assigned VLAN to the switch.

 

The switch does all the rest (i.e. routing, DHCP relay, etc.)

 

This part works except for DHCP requests and IPv6 RAs. DHCP requests that are originated from the wireless client are not briged to the LAN port of the controller and hence never reaches the switch. On the contrary, the IPv6 RAs that are originated from the switch are received by the controller with the correct VLAN ID (1xyz), but the controller does not brigde these to the wireless station.

 

This is the setup of my controller and the APs:

 

Controller -> Network -> Network profiles: One network profile with correct VLAN id for each user and the additional vlans

 

Controller -> Network -> VLANs: The user vlans (ids 1xyz) and the VLAN "MyWLAN" (id 8) are tagged VLANs of the LAN port. The VLAN "netcomponents" (id 3) is not assigned, because this vlan is untagged at the switch side.

 

Controller -> VSC -> "MyVSC": Access contoll is enabled. VSC ingress mapping is set to VLAN and id 8.

 

Controller -> Controlled APs -> "MyGroup" -> VSC binding: Bind to "MyVSC" and the egress network is set to id 8.

 

What do I do wrong?

 

Some additional hints:

 

a) I did a tcpdump trace at several points on the switch for different VLANs. The traffic flow is as expected except that the DHCP requests get lost at the controller. But I can see the DHCP request if I monitor VLAN 8 between the APs and the controller.

 

b) If I assigned a static network configuration to the wireless client, everything works. This means the communication channel

 

[Client station]   <--"wireless traffic by air"-->   [AP]   <--"user traffic via vlan id 8"-->   [controller]   <--"user traffic via assigned-vlan id 1xyz"-->   [switch]

 

work in general.

 

c) If I disabled access-controll and use the controller for authentication only, the user traffic is egressed into the user-assigned VLAN at the APs directly. In that case DHCP and IPv6 RA are brigdged as expected.