cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3064
Views
19
Helpful
15
Replies

Roaming between two waps and channel isolation...

Scott Frank
Level 1
Level 1

I have a guest ssid that I set up on two different waps for better coverage.  One is a wap321 and the other is a wap371.  I want roaming and channel isolation between guests on one wap and the other.

Example:

 

wap371

ssid - guest - with channel isolation turned on

vap2 - vlan2

 

wap321

ssid  - guest - with channel isolation turned on

vap2 - vlan2

 

Will a guest on one wap see a guest on other wap if both have channel isolation turned on..?

 

Sincerely,

 

Scott

 

15 Replies 15

Tom Watts
VIP Alumni
VIP Alumni

Hi Scott, with the isolation enabled, regardless of the WAP, if it's on the same network it won't see each other.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Scott Frank
Level 1
Level 1

Update:

Found a nifty little app for my phone called Fing.  Fing says that I can indeed see and communicate  with clients on the other wap with channel isolation active on both waps.  Worse yet, after I shut off the the wap I was on and waited to connect to the other wap, I could still see and communicate with the clients that I previosly could see on the other wap.  My open connections followed me.  That is quite a glitch.  All you have to do is roam around a little and you can get to whatever you want.

Seems that with these waps you have to have a separate vlan and ssid on every ap.  ie guest1 guest2 guest3 and so on.  This doesn't count as roaming.  Not too convenient for customers.  I have a RV180 so there are only 4 vlans to play with.  Besides these issues Cisco really need a small business router with lots more vlans.

Also Fing could always see other clients even when it couldn't communicate with them.  IP address and mac address were always visible.

My name Eric Moyers. I am an Engineer in the Small Business Support Center.

Let me state up front, our Access Points do not do seamless roaming. But with normal roaming when the signal from a wireless connection is dropped the wireless client will look for the next strongest signal.

How do you have your WAPs setup? I see the same SSID, same password and encryption? How close together are they? Could the wireless client on the one that you turned off have jumped to the other SSID? with a normal roaming scenario that is the way it should work, regardless is isolation is turned off or on.
Fing is a network analysis tool, used to specifically discover all clients on a network. Just because Fing can see them does not mean that they can communicate with each other.

"When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients."

Did you test to see if you could pass traffic between the different wireless clients other than just see them? If so what were those results? 

To your original question: Will a guest on one wap see a guest on other wap if both have channel isolation turned on..?

Answer: Honesty, I don't know if that has ever been tested. Channel isolation, to my knowledge, on our WAPs is for that VAP and channel tied to that particular MAC address. The question here is does Channel Isolation reach beyond the current chipset on a WAP. 

I am going to try to get this in the lab and test. But if you need an answer quickly, I would suggest calling in, opening a case and working with one of our engineers. 

Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

So many questions, here goes.

If I have only one wap going I can see all connected devices; IP address, and manufacturer information but I can not pass information.  If I have both going and I am on one and everything else is on the other then I can see them and pass information.  Then if I turn off the one that I'm on and "roam" to the other where all the other wireless devices were then I can still pass information between my phone and all the other wireless devices on the same vap.

 

I think you have my set up down pretty well.  I have both waps on different channels, not overlapping at all.  As far as distance, I don't know how that would play into it but, I would  say 25' or so.  Believe me I would love it if these waps had a little more umph to them.

 

I'm guessing, but it seems like when the channel isolation was thought up on these the engineers felt it a good thing for the wireless devices to be able to get to a wired printer or something.  It would be nice if they added a third option, no lan connections at all.  ie 1. channel isolation off 2. channel isolation just for wireless, like you have now and 3. no lan connections possible under any circumstance, just internet. 

 

Thanks for you help clearing this up.

 

Scott

I tested this in my Lab as well and my testing showed exactly as yours.

1) When connected to just one WAP can see in a network analysis tool,  but cannot pass traffic.

2) When on clients on different WAPs can see in a network analysis tool and pass traffic.

3) Honestly I did not think to reassociate back to the first WAP and try again. I need to do that.

For your distance, where are your WAPs being used? Environment plays a big part in signal coverage.In Residential areas, walls and construction material play a big part in reduced coverage. For Business/Industry areas add 3rd party equipment to the list.

The last comment that you mentioned, guest not being able to get to anything wired on the network, is available. However you have to have a router and will allow you to disable inter-vlan routing in order to be able to do that. In some cases, depending on the router a work around if the router can not disable inter-vlan routing would be if the router had port to vlan capability and then add a guest only access point to that port and create ACL's to restrict access to everything but the WAN port.

Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

I have your RV180 and I do have inter vlan disabled.  Guess that's not working so good either.  Could the switch be leaking somehow?  I have your sg200-26p.  Is there an inter vlan routing setting in there that  I missed?

Ok great, and thank you for using Cisco exclusively!

With the RV180 when disabling inter-vlan routing, if you have two vlans both boxes should be unchecked.

If that alone does not resolve the vlan issue let me know, I may need you to call in and work with a engineer directly and let them go over your complete setup to include the Switch.

Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

Ok, now I know what is going on.  I am getting inter-vap communicating.  I don't know why someone would go through all the trouble of setting up virtual aps and not want the traffic separated.  I guess I figured they would naturally be isolated. 

 

I guess my suggestion would be to make the normal state of inter-vap communication isolated or put in another check box for inter-vap isolation like you did on inter-lan on the router...

 

My real problem is that I ran out of vlans to do what I really want to do.  I had vaps sharing vlans thinking vaps couldn't talk to one another. 

I am glad you were able to sort that out. How many vlans do you need? Which one can talk to each other and which ones are not supposed to?

You can email me, if you would prefer. Just click my name beside my picture and you should find it.

Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

 

All vaps that are on the same vlan can see clients on all the other vaps.

 

I liked using the schedule associations to give different groups different times and to do that I needed different ssids.  I figured that if a vlan and all vaps on it couldn't cross communicate that all was well.  Now I see that every vap that I don't want cross communication on I need a separate vlan as well.

 

I would only need a few more vlans to do what I want.  The RV180 only has 4 to work with.  I actually originally bought a RV042G until I found out it can do vlans but they were rear port specific.  ie on vlan per physical port. 

 

What options do you have where there isn't a huge jump in price and still have a web interface?  I really like the small business line because of the web interface.

Currently the only option that Small Business has is the RV320. This router supports 7 vlans. The down side would be that it is not a wireless router. Price point your talking maybe $50 - $55 more than the RV180W. Would need to check vendors to be sure.

Here is a link to the emulator for this one.

https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.1.0.09/default.htm

Keep in mind that this GUI shows an older firmware, so actual router may appear a little different.

Eric Moyers

One last question, the RV320, would I loose any features or performance with this model over the RV180 that I have.  By the way, I don't have the wireless version.  I wanted to use waps away from where the router is located...

 

The reason I ask is because the 320 isn't listed in the model comparison.  Must be newer than the one I have..?

For some reason the RV320 and RV325 are listed separately.

You would not lose anything feature wise and actually gain on performance. Attached is a quick compare I put together for you. Also here is where you can look at the RV320 Data Sheet.

http://www.cisco.com/c/en/us/products/collateral/routers/rv320-dual-gigabit-wan-vpn-router/data_sheet_c78-726132.html

Eric Moyers

If the reviews were better I would jump all over the 320.  And since I have a bad taste in my mouth from the wap371 it is a tough call.  The rv180, sg-200 and the wap321 were all fine products and I like how the web interfaces all feel about the same. 

Is the 320 replacing the 180?  Seems like everyone is out of the 180.  Although with the dual wan it seems more like the 042. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: