cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2003
Views
0
Helpful
6
Replies

IP Source Guard & WiFi roaming

pzanderson
Level 1
Level 1

Hi,

I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches.  It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked.  I can understand why this is occuring, but I don't know what I can do to work around this problem.  Has anyone else had success with roaming WiFi machines in conjunction with IP Source Guard?

Phil

1 Accepted Solution

Accepted Solutions

mvknl
Level 1
Level 1

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

View solution in original post

6 Replies 6

mvknl
Level 1
Level 1

It depends on your WiFi setup. If you're using a WLC you can use LWAPP or CAPWAP to tunnel all traffic to the controller first. When the traffic arrives at the controller it gets decapsulated and sent onto the network as normal ethernet frames. This means that from the switch' point of view the location of the client never changes.

However, this does require WLC's.

can you let us know your network setup (switches & AP's connectivity and where is DHCP server)

Regards,

srikanth

The setup contains 2 stacked SG500-52P switches and a bunch of WAP4410N APs which are configured as simple APs using the same SSID throughout the building.  There are 2 DHCP servers (primary & backup) running on RHEL, and the ports of these servers are configured as trusted in the DHCP Snooping configuration.  All this seems to work perfectly for wired connections, and also for Wireless connections until they decide to roam to a different access point.

mvknl
Level 1
Level 1

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

Thanks Michael.  I have come to the same conclusion.  It's unfortunate that it is the wireless machines which tend to cause the most problems and are where I most need this functionality!  It might be time to buy some new wireless infrastructure

A bit of a nasty solution, but I've moved all the WiFi access points to a small 10 port gigabit switch which feeds into the main switch.  This means that the main switch sees all WiFi devices on a signle port, removing the issue of them roaming. 

The obvious limitation is that this give no protection for WiFi devices messing with each other, however it does protect the cabled devices which is my primary aim.

Not a great solution, but it is the best I think I can do without replacing the access points.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco