cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
0
Helpful
6
Replies
Highlighted
Beginner

IP Source Guard & WiFi roaming

Hi,

I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches.  It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked.  I can understand why this is occuring, but I don't know what I can do to work around this problem.  Has anyone else had success with roaming WiFi machines in conjunction with IP Source Guard?

Phil

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

IP Source Guard & WiFi roaming

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

View solution in original post

6 REPLIES 6
Highlighted
Beginner

IP Source Guard & WiFi roaming

It depends on your WiFi setup. If you're using a WLC you can use LWAPP or CAPWAP to tunnel all traffic to the controller first. When the traffic arrives at the controller it gets decapsulated and sent onto the network as normal ethernet frames. This means that from the switch' point of view the location of the client never changes.

However, this does require WLC's.

Highlighted
Enthusiast

IP Source Guard & WiFi roaming

can you let us know your network setup (switches & AP's connectivity and where is DHCP server)

Regards,

srikanth

Highlighted
Beginner

IP Source Guard & WiFi roaming

The setup contains 2 stacked SG500-52P switches and a bunch of WAP4410N APs which are configured as simple APs using the same SSID throughout the building.  There are 2 DHCP servers (primary & backup) running on RHEL, and the ports of these servers are configured as trusted in the DHCP Snooping configuration.  All this seems to work perfectly for wired connections, and also for Wireless connections until they decide to roam to a different access point.

Highlighted
Beginner

IP Source Guard & WiFi roaming

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

View solution in original post

Highlighted
Beginner

IP Source Guard & WiFi roaming

Thanks Michael.  I have come to the same conclusion.  It's unfortunate that it is the wireless machines which tend to cause the most problems and are where I most need this functionality!  It might be time to buy some new wireless infrastructure

Highlighted
Beginner

IP Source Guard & WiFi roaming

A bit of a nasty solution, but I've moved all the WiFi access points to a small 10 port gigabit switch which feeds into the main switch.  This means that the main switch sees all WiFi devices on a signle port, removing the issue of them roaming. 

The obvious limitation is that this give no protection for WiFi devices messing with each other, however it does protect the cabled devices which is my primary aim.

Not a great solution, but it is the best I think I can do without replacing the access points.

Content for Community-Ad