cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2283
Views
0
Helpful
17
Replies

MAC-address leakage between VLANs/SSIDs

magnus.maatta
Level 1
Level 1

Hi,

I'm having a problem with MAC-addresses being leaked between different SSIDs on different VLANs, so that our clients will be unreachable as the systems will get the wrong MAC-address for the IP-address requested.

We're trying to connect a number of industrial systems through wifi with autonomous access points configured as WGB's and

have setup 8 SSIDs (system1, system2, system3 etc) on different VLANs (701,702,703, ...) and as with most industrial systems

they are using the same IP-range and IP-addresses for the systems, so the security PLC have f.e. 10.10.10.102 on system1, system2 etc.

We have tried different ways trying to trick the WLC into not mixing them up between the SSID:s and VLANs without any positive result.

We tried tunneling all the traffic through the unified VLAN client feature but got the same result. However we got it working momentarily by

setting IP 10.10.10.129 on one device, then changing it to the correct one after the ARP-tables had been filled on the clients with the correct

ones, but this only worked until either IAPP or the ARP-cache on either the WGB or the WLC (not sure which one) timed out or some timer

kicked in and removed the correct MAC-address and added the MAC-address from another SSID/VLAN for that IP-address on that net.

Since the security PLC's need <100ms delay between each other (the wired one and the one behind the WGB) trying to do some workaround

with IP-addresses is impossible.

Equipment used:

1262 APs as WGB, tried with the following IOS versions: 12.4(25d)-JA1/2, 15.2-2JA and JB, we also tried with a 3602.

5508 WLC: tried with following IOS versions: latest 7.0, latest 7.2 and latest 7.4

1262 LAPs are used for distributing the SSID:s

We have Passive Client enabled on all the SSID:s with unicast multicast mode set on controllers.

Unified VLAN WGB feature enabled on controllers.

Anyone got any solution to our problem ?

17 Replies 17

Amjad Abdullah
VIP Alumni
VIP Alumni

Magnus:

I think we need more elaboration from your side.
What I understood is that you have 8 VLANs (8 SSIDs) and those VLANs configured on a switch which has a WGB connected to it that bridges the wireless traffic. The VLANs are configured correctly on the switch, WGB and WLC.

You have some clietns on VLAN 701 for example get connected to different VLANs (say 703).? Is that what happen? Please elaborate more abit.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Almost, I should have written a bit more exact description, sorry about that.

We have one WGB connected to ssid1 on vlan 701 and another WGB connected to ssid2 on vlan 702, another connected to ssid5 on vlan 705.

And as I said, the clients behind the WGBs and on the wired net  all have the same IP addresses on their respective VLAN.

And as I said, the clients behind the WGBs and on the wired net  all have the same IP addresses on their respective VLAN.

I am still not able to understand what that mean.

It looks to me like you say client X has same exact ip as Clien Y but client X and client Y are in two different VLANs. (but I don't think this is the situation). Please elaborate more.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Clients behind WGBs:

Client A1 on ssid1 with ip 10.10.10.19

Client B1 on ssid2 with ip 10.10.10.19

Client C1 on ssid4 with ip 10.10.10.19

Clients on wired net:

Client A2 on VLAN 701 with ip 10.10.10.39

Client B2 on VLAN 702 with ip 10.10.10.39

Client C2 on VLAN 704 with ip 10.10.10.39

All clients with netmask 255.255.255.0

It works for about 15 seconds before it stops working (the communication between clients), after that it will stop

working and the arp tables on the clients will have the MAC address for another client on a different SSID/VLAN.

Magnus:
Your clients connected directly to the WGB? (one client per WGB) or the WGBs connected to a switch and the other clients connected to same switch?

if WGBs uses switches, all WGBs connected to same switch? or different switches?

AFAI understood from your description, you have two different clients with same IP on same VLAN. This design doesn't really work. You have to change the design to have unique ip addresse for clients on same VLAN. This should be the solution for your issue.

If I mis-understood something I am waiting for your elaboration.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

The clients that have the same IP addresses are separated from each other on different VLANs, which is the reason I separated the different ones by using A1, A2, B1, B2.

So the A-clients are on ssid1 which is a VLAN interface on the controller with VLAN ID 701.

The B clients are on ssid2 which is VLAN ID 702.

C are on ssid4 which is VLAN ID 704.

Right now, we only have one client connected directly to the WGB and one client on the wired network, same switch as the controller is connected to.

Client A1, B1, C1 each have a WGB which connects them to the correct ssid, ssid1 for A1, ssid2 for B1 and ssid4 for C1.

Magnus:

How you have different dynamic VLAN interfaces with same IP subnet range? This is not possible on cisco wireless controller!!

You have SSID1 on 10.10.10.x

you have SSID2 on 10.10.10.x as well.

This is not possible on cisco WLC.

There is possibly something missing or something that I don't understand.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

The controllers use some other "dummy" IP 192.168.10Y.1X, Y is 1 for ssid1, 2 for ssid2 etc, X is just the controller number from 1 to 6.

We're only trying to bridge the clients behind the WGB to the wired net through wifi

Magnus:

So, you have multiple controllers?

I am still confused. I think one logical diagram shows the connection worths 1000 words.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

magnus.maatta
Level 1
Level 1

Image which might clarify the setup. Only with one controller, as both lightwieght APs are connected to the same controller. We tried with different controllers for the APs with different SSIDs, but that didn't help.

Magnus:

Thank you for the great diagram.

Now, I still believe you should not use the 192.168.x.x on same VLAN where the 10.10.10.x subnet is being used. You need to have the dynamic interface on same subnet as the VLAN subnet. This will force you to use different subnets for both SSIDs. This is what all cisco docs recommend. violating that will obviously causes abnormal behavior (just like your current situation).

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Yeah but we can't use the same IP-net on several different SSID's on the controller.

As I said in the original post, the clients are part of an industrial system and it's not possible to use different IP-addresses and/or subnets for the clients.

You can do some workarounds (not sure if the fit in your situation) like using same dynamic interface for different SSIDs.

You may need to bring separate WLC if you insist on same IP addressing.

I am sorry I am trying my best to help but the current design is not as good as we can offer useful solutions.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Review Cisco Networking for a $25 gift card