09-06-2017 02:22 PM - edited 03-21-2019 11:15 AM
Hello,
I'm implementing basic IPv4 security with a SG350X switch using DHCP snooping database, the IP source guard and ARP inspection. Everything works as expected for wired devices - only if an IPv4 address is assigned by the server via DHCP, IP access is possible. Otherwise, access is blocked and logged by the switch.
Now I've troubles to get WLAN working with this security feature. I've 2 access points (currently different vendors) using WAP EAP authentication connected to gi1/0/11 and gi1/0/16. The WLAN SSID and the broadcast domain is the same for both AP to make roaming possible. After authentication the WLAN clients are directed into VLAN 22 and get an IPv4 address from a Linux based DHCP server (dnsmasq). The SG350X tracks the assigned ip address and interface in the dhcp snooping trust database. If the WLAN client roams to the other AP (e.g. effectivly from gi1/0/16 to gi1/0/11 or vice versa) no new DHCP request is done by the client. Now the ip traffic is blocked because the ip traffic is now coming via the "wrong interface " and it doesn't match the dhcp snooping trust database.
Currently I've disabled ip source guard for WLAN but actually this feature is especially useful for a WLAN scenario. Does anyone know what can be done here?
09-07-2017 12:44 AM
Hi there,
On Cisco switches running IOS you have the command
! authentication mac-move permit !
...which would permit authenticated devices to move between switchports. Or you could configure the port-security aging timer, but these would hinder fast roaming.
However in there is no equivelant of these command on these small business switches.
Perhaps connecting your APs to a seperate switch (a cheap netgear) and connect that your SG300. Run DHCP snooping on this port. The SG300 would be obvlivious to clients roaming on the switch below.
cheers,
Seb.
09-16-2017 12:53 PM
Hi,
Thanks for your answer.
Actually I was hoping for a software solution on side of the Switch. In my opinion it's a standard scenario. Putting another switch inbetween actually solves the problem with the ip source-guard but creates new ones: No software controlled PoE+ directly from the switch, no LLDP control, new component... etc.
Therefore I'll turn of the source guard for the access points for now.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide