I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches. It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked. I can understand why this is occuring, but I don't know what I can do to work around this problem. Has anyone else had success with roaming WiFi machines in conjunction with IP Source Guard?
Solved! Go to Solution.
It depends on your WiFi setup. If you're using a WLC you can use LWAPP or CAPWAP to tunnel all traffic to the controller first. When the traffic arrives at the controller it gets decapsulated and sent onto the network as normal ethernet frames. This means that from the switch' point of view the location of the client never changes.
However, this does require WLC's.
The setup contains 2 stacked SG500-52P switches and a bunch of WAP4410N APs which are configured as simple APs using the same SSID throughout the building. There are 2 DHCP servers (primary & backup) running on RHEL, and the ports of these servers are configured as trusted in the DHCP Snooping configuration. All this seems to work perfectly for wired connections, and also for Wireless connections until they decide to roam to a different access point.
Thanks Michael. I have come to the same conclusion. It's unfortunate that it is the wireless machines which tend to cause the most problems and are where I most need this functionality! It might be time to buy some new wireless infrastructure
A bit of a nasty solution, but I've moved all the WiFi access points to a small 10 port gigabit switch which feeds into the main switch. This means that the main switch sees all WiFi devices on a signle port, removing the issue of them roaming.
The obvious limitation is that this give no protection for WiFi devices messing with each other, however it does protect the cabled devices which is my primary aim.
Not a great solution, but it is the best I think I can do without replacing the access points.