Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2638
Views
0
Helpful
6
Replies

IP Source Guard & WiFi roaming

Go to solution
pzanderson
Level 1
Level 1

‎09-30-2012 10:52 PM - edited ‎03-07-2019 09:12 AM

Hi,

I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches.  It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked.  I can understand why this is occuring, but I don't know what I can do to work around this problem.  Has anyone else had success with roaming WiFi machines in conjunction with IP Source Guard?

Phil

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvknl
Level 1
Level 1

‎10-01-2012 01:24 AM

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mvknl
Level 1
Level 1

‎09-30-2012 11:25 PM

It depends on your WiFi setup. If you're using a WLC you can use LWAPP or CAPWAP to tunnel all traffic to the controller first. When the traffic arrives at the controller it gets decapsulated and sent onto the network as normal ethernet frames. This means that from the switch' point of view the location of the client never changes.

However, this does require WLC's.

0 Helpful

Go to solution
srikanth ath
Level 4
Level 4
In response to mvknl

‎10-01-2012 12:18 AM

can you let us know your network setup (switches & AP's connectivity and where is DHCP server)

Regards,

srikanth

0 Helpful

Go to solution
pzanderson
Level 1
Level 1
In response to srikanth ath

‎10-01-2012 01:10 AM

The setup contains 2 stacked SG500-52P switches and a bunch of WAP4410N APs which are configured as simple APs using the same SSID throughout the building.  There are 2 DHCP servers (primary & backup) running on RHEL, and the ports of these servers are configured as trusted in the DHCP Snooping configuration.  All this seems to work perfectly for wired connections, and also for Wireless connections until they decide to roam to a different access point.

0 Helpful

Go to solution
mvknl
Level 1
Level 1

‎10-01-2012 01:24 AM

I think your only other option would be to disable ip source guard on the ports to which the accesspoints are connected. You can leave it enabled for the rest of the network, just disable it for the wireless part.

0 Helpful

Go to solution
pzanderson
Level 1
Level 1
In response to mvknl

‎10-01-2012 01:36 AM

Thanks Michael.  I have come to the same conclusion.  It's unfortunate that it is the wireless machines which tend to cause the most problems and are where I most need this functionality!  It might be time to buy some new wireless infrastructure

0 Helpful

Go to solution
pzanderson
Level 1
Level 1
In response to pzanderson

‎10-01-2012 04:18 PM

A bit of a nasty solution, but I've moved all the WiFi access points to a small 10 port gigabit switch which feeds into the main switch.  This means that the main switch sees all WiFi devices on a signle port, removing the issue of them roaming. 

The obvious limitation is that this give no protection for WiFi devices messing with each other, however it does protect the cabled devices which is my primary aim.

Not a great solution, but it is the best I think I can do without replacing the access points.

0 Helpful
Customers Also Viewed These Support Documents
Top