03-14-2013 01:18 PM - edited 07-03-2021 11:44 PM
Hi,
I'm having a problem with MAC-addresses being leaked between different SSIDs on different VLANs, so that our clients will be unreachable as the systems will get the wrong MAC-address for the IP-address requested.
We're trying to connect a number of industrial systems through wifi with autonomous access points configured as WGB's and
have setup 8 SSIDs (system1, system2, system3 etc) on different VLANs (701,702,703, ...) and as with most industrial systems
they are using the same IP-range and IP-addresses for the systems, so the security PLC have f.e. 10.10.10.102 on system1, system2 etc.
We have tried different ways trying to trick the WLC into not mixing them up between the SSID:s and VLANs without any positive result.
We tried tunneling all the traffic through the unified VLAN client feature but got the same result. However we got it working momentarily by
setting IP 10.10.10.129 on one device, then changing it to the correct one after the ARP-tables had been filled on the clients with the correct
ones, but this only worked until either IAPP or the ARP-cache on either the WGB or the WLC (not sure which one) timed out or some timer
kicked in and removed the correct MAC-address and added the MAC-address from another SSID/VLAN for that IP-address on that net.
Since the security PLC's need <100ms delay between each other (the wired one and the one behind the WGB) trying to do some workaround
with IP-addresses is impossible.
Equipment used:
1262 APs as WGB, tried with the following IOS versions: 12.4(25d)-JA1/2, 15.2-2JA and JB, we also tried with a 3602.
5508 WLC: tried with following IOS versions: latest 7.0, latest 7.2 and latest 7.4
1262 LAPs are used for distributing the SSID:s
We have Passive Client enabled on all the SSID:s with unicast multicast mode set on controllers.
Unified VLAN WGB feature enabled on controllers.
Anyone got any solution to our problem ?
03-16-2013 02:06 AM
Magnus:
I think we need more elaboration from your side.
What I understood is that you have 8 VLANs (8 SSIDs) and those VLANs configured on a switch which has a WGB connected to it that bridges the wireless traffic. The VLANs are configured correctly on the switch, WGB and WLC.
You have some clietns on VLAN 701 for example get connected to different VLANs (say 703).? Is that what happen? Please elaborate more abit.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
03-18-2013 12:33 AM
Almost, I should have written a bit more exact description, sorry about that.
We have one WGB connected to ssid1 on vlan 701 and another WGB connected to ssid2 on vlan 702, another connected to ssid5 on vlan 705.
And as I said, the clients behind the WGBs and on the wired net all have the same IP addresses on their respective VLAN.
03-18-2013 12:47 AM
And as I said, the clients behind the WGBs and on the wired net all have the same IP addresses on their respective VLAN.
I am still not able to understand what that mean.
It looks to me like you say client X has same exact ip as Clien Y but client X and client Y are in two different VLANs. (but I don't think this is the situation). Please elaborate more.
Rating useful replies is more useful than saying "Thank you"
03-18-2013 01:14 AM
Clients behind WGBs:
Client A1 on ssid1 with ip 10.10.10.19
Client B1 on ssid2 with ip 10.10.10.19
Client C1 on ssid4 with ip 10.10.10.19
Clients on wired net:
Client A2 on VLAN 701 with ip 10.10.10.39
Client B2 on VLAN 702 with ip 10.10.10.39
Client C2 on VLAN 704 with ip 10.10.10.39
All clients with netmask 255.255.255.0
It works for about 15 seconds before it stops working (the communication between clients), after that it will stop
working and the arp tables on the clients will have the MAC address for another client on a different SSID/VLAN.
03-18-2013 01:22 AM
Magnus:
Your clients connected directly to the WGB? (one client per WGB) or the WGBs connected to a switch and the other clients connected to same switch?
if WGBs uses switches, all WGBs connected to same switch? or different switches?
AFAI understood from your description, you have two different clients with same IP on same VLAN. This design doesn't really work. You have to change the design to have unique ip addresse for clients on same VLAN. This should be the solution for your issue.
If I mis-understood something I am waiting for your elaboration.
Greetings,
Amjad
Rating useful replies is more useful than saying "Thank you"
03-18-2013 01:37 AM
The clients that have the same IP addresses are separated from each other on different VLANs, which is the reason I separated the different ones by using A1, A2, B1, B2.
So the A-clients are on ssid1 which is a VLAN interface on the controller with VLAN ID 701.
The B clients are on ssid2 which is VLAN ID 702.
C are on ssid4 which is VLAN ID 704.
Right now, we only have one client connected directly to the WGB and one client on the wired network, same switch as the controller is connected to.
03-18-2013 01:41 AM
Client A1, B1, C1 each have a WGB which connects them to the correct ssid, ssid1 for A1, ssid2 for B1 and ssid4 for C1.
03-18-2013 01:46 AM
Magnus:
How you have different dynamic VLAN interfaces with same IP subnet range? This is not possible on cisco wireless controller!!
You have SSID1 on 10.10.10.x
you have SSID2 on 10.10.10.x as well.
This is not possible on cisco WLC.
There is possibly something missing or something that I don't understand.
Rating useful replies is more useful than saying "Thank you"
03-18-2013 02:00 AM
The controllers use some other "dummy" IP 192.168.10Y.1X, Y is 1 for ssid1, 2 for ssid2 etc, X is just the controller number from 1 to 6.
We're only trying to bridge the clients behind the WGB to the wired net through wifi
03-18-2013 02:05 AM
Magnus:
So, you have multiple controllers?
I am still confused. I think one logical diagram shows the connection worths 1000 words.
Rating useful replies is more useful than saying "Thank you"
03-18-2013 02:34 AM
Image which might clarify the setup. Only with one controller, as both lightwieght APs are connected to the same controller. We tried with different controllers for the APs with different SSIDs, but that didn't help.
03-18-2013 03:03 AM
Magnus:
Thank you for the great diagram.
Now, I still believe you should not use the 192.168.x.x on same VLAN where the 10.10.10.x subnet is being used. You need to have the dynamic interface on same subnet as the VLAN subnet. This will force you to use different subnets for both SSIDs. This is what all cisco docs recommend. violating that will obviously causes abnormal behavior (just like your current situation).
Rating useful replies is more useful than saying "Thank you"
03-18-2013 03:34 AM
Yeah but we can't use the same IP-net on several different SSID's on the controller.
As I said in the original post, the clients are part of an industrial system and it's not possible to use different IP-addresses and/or subnets for the clients.
03-18-2013 03:46 AM
You can do some workarounds (not sure if the fit in your situation) like using same dynamic interface for different SSIDs.
You may need to bring separate WLC if you insist on same IP addressing.
I am sorry I am trying my best to help but the current design is not as good as we can offer useful solutions.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide