topic Avoiding huge broadcast domains in Wireless Questions and Best Practices

Avoiding huge broadcast domains

temur_kalandia — Tue, 18 Feb 2014 07:09:47 GMT

hello,
For avoiding huge broadcast domains will be great if Ruckus has the feature "vlan range" or "vlan pooling" (it has different naming depending on vendor). with that feature you can configure one SSID and bind to it Vlan ranges. in such way each time when user connects to that SSID it will get an IP address from the different vlan.
One of our costumer has about 5k user in one building. they used above mentioned feature with previous vendor AP's. After migrating to Ruckus wireless we sew that there no such feature, with ruckus you have two options to avoid huge broadcast domains : 1) configure different ssid with the different VLAN , with causes clients to reconnect when they change location in the same building(NOT good idea ) , 2) create wlan groups and bind different vlan to the same SSID, which causes disconnections when roaming occurs, clients sometimes have to disconnect and reconnect(NOT good).

So if there anyone interested in that feature ,please give a support and may be w'll see it in near releases.

regards

Re: Avoiding huge broadcast domains

primoz_marinsek — Tue, 18 Feb 2014 08:48:36 GMT

Could you elaborate on the point?

You can Isolate wireless client traffic from all hosts on the same VLAN/subnet and you can use Proxy ARP now.

Re: Avoiding huge broadcast domains

temur_kalandia — Wed, 19 Feb 2014 09:02:09 GMT

hello,

these two options client isolation and proxy ARP are good way to avoid huge broadcasts, but dividing client network e.g in several /24 sub nets is better way to avoid broadcast storms, also this is more secure. also client isolation is not always good solution, because some customers need connections between clients, sometimes there are applications which is used by users, there might be not only ARP broadcast in the network , etc

Re: Avoiding huge broadcast domains

primoz_marinsek — Thu, 20 Feb 2014 07:17:19 GMT

You also have the option of L3 and L4 ACLs. Something can be done with that.

You also have the option of dynamic VLANs. So if you're using an auth server of some sort you can have users assigned to a specific vlan from the data in the server.

Re: Avoiding huge broadcast domains

temur_kalandia — Thu, 20 Feb 2014 07:46:39 GMT

we cant use dynamic vlan option, because there is one open ssid , no authentication needed.

In my opinion ruckus should have such option as vlan range per ssid. this will be a really great solution.

Re: Avoiding huge broadcast domains

primoz_marinsek — Thu, 20 Feb 2014 08:22:30 GMT

Disagree with your last statement.

Each SSID you broadcast uses up something like 2,3% of BW. So if you have 10 SSIDs you've lost 23% of BW just with that. That's one reason why you have the dynamic VLAN option.

If I understand you correctly you would like an extension of the DHCP relay function into a DHCP relay proxy. I personally haven't had the need for this, but I guess it could be useful in some cases and I would support any enhancement to the RW suite, so +1 for that at least.

Re: Avoiding huge broadcast domains

temur_kalandia — Thu, 20 Feb 2014 09:03:41 GMT

i have deployment with about 5000 users, there is just one open ssid. With ruckus we have to use one huge subnet, with prevous vendor i had several /24 lan and all user were spreaded in these vlans, each connected user was getting ip addresses from these vlans randomly.

I think this is more acurate topology, then you provided. If there is no need to have l3 domains, why we buy routers , from your look bying one l2 device, one huge subnet and client isolation is enough..... I dont think so:)

Re: Avoiding huge broadcast domains

primoz_marinsek — Thu, 20 Feb 2014 09:07:36 GMT

How long did users stay in one subnet?

Re: Avoiding huge broadcast domains

temur_kalandia — Thu, 20 Feb 2014 09:16:18 GMT

until they were connected, they have ip address from the same lan and no roaming issues. Each disconect/conect causes new ip address assignment.

Re: Avoiding huge broadcast domains

primoz_marinsek — Thu, 20 Feb 2014 09:18:41 GMT

Sory i didn't specify earlier. I was asking that for the old system. On the old system when an STA connected it got an IP and it kept that even when roaming?

Re: Avoiding huge broadcast domains

temur_kalandia — Thu, 20 Feb 2014 09:28:11 GMT

i wrote about old system. with previous vendor APs the client device have the same ip address during roaming.

Re: Avoiding huge broadcast domains

bill_burns_6069 — Sat, 22 Mar 2014 00:25:38 GMT

I think this could be implemented with dynamic VLANs and a RADIUS server.
It would take a bit of doing, but shouldn't require additional features on the Ruckus ZDs.

Re: Avoiding huge broadcast domains

temur_kalandia — Sat, 22 Mar 2014 07:22:22 GMT

hello Bill,

can you please tell how do you accomplish this task when there is one OPEN SSID and no need for authentication? in such case you can't use radius server and dynamic vlan

Re: Avoiding huge broadcast domains

max_o_driscoll — Mon, 24 Mar 2014 09:54:22 GMT

off-topic query: where did you get that 2.3% figure from Primoz? Not seen it mentioned before. I have a lot of SSIDs and if correct I would try to use fewer. I feel a "what are negative effects of numerous SSIDs" thread coming up!

Re: Avoiding huge broadcast domains

bill_burns_6069 — Mon, 24 Mar 2014 16:19:14 GMT

The feature is called "mac authentication bypass". I haven't tried it with ruckus APs (yet) but it passes the mac address of the client to the radius server as both the username and the password.
(It should also set a number of other attributes)
The trick then becomes getting your radius server to respond appropriately.
The last time I checked, the microsoft radius server it was not very flexible.
(but nowadays there might be a way to integrate with powershell for customization?)
I ended up rigging a linux/freeradius server to call an external script and was able to get the radius server to provide any response I wanted.

In my case, the script searched a registration "database" (text file) to force registered machines into a particular VLAN and unknown machines into a "guest" VLAN.

If you're willing+able to script the logic yourself, you could tailor RADIUS responses to balance the number of machines in each VLAN, etc.

Also, most NAC solutions (like packetfence) can integrate with wireless devices using mac authentication bypass.
(but I'm not sure they'd provide the exact feature / customization you're looking for)

Let me know if/what other details you need.

Re: Avoiding huge broadcast domains

temur_kalandia — Mon, 24 Mar 2014 16:40:42 GMT

hello Bill,

this must be slimier then you have done.. struggling with radius server is not a good solution, you still need authenticate users and unauthenticated users you are putting into one vlan... i think that solution is not accurate and appropriate for my task.

i have working previously with several wireless vendors , they have that feature with simple configuration steps. there is no need for radius and any of external authentication mechanisms, authentication is completely removed .

task is simple : one open SSID, several VLAN's. to each connected user will be randomly allocated IP addresses from these VLAN's and they can roam seamlessly between AP's. :)

if someone in ruckus development group is really needs to deeply understand that feature i can provide all information to implement this great feature in Ruckus wireless.

Re: Avoiding huge broadcast domains

bill_burns_6069 — Mon, 24 Mar 2014 17:01:52 GMT

I agree that implementing this feature through an external RADIUS server would be a "project". (as opposed to having a convenient vendor feature)

The level of difficulty may make my solution inappropriate for you.
I'm just pointing out that (if you're willing to put in the time effort and resources) you can have a large number of clients in one SSID but balanced between a number of VLANs.

I'm assuming a single, unauthenticated SSID.
The solution would change slightly if you require both authenticated and unauthenticated clients.

... In theory, you *could* put authenticated and unauthenticated users in a single VLAN but I'm not sure I understand the use-case for that.

Re: Avoiding huge broadcast domains

alex_cordova — Mon, 21 Jul 2014 17:55:04 GMT

hi there... i was reading to understood what happens when an AP has for example 4 SSID... the antena radiates 4 RF signals to that...or how it ocurss ???

regards...

Re: Avoiding huge broadcast domains

primoz_marinsek — Thu, 30 Oct 2014 11:47:25 GMT

Hi Max

Sorry, but I've just now seen that you've asked me this.

The link to this is here

http://www.revolutionwifi.net/p/ssid-...

Re: Avoiding huge broadcast domains

daniel_kuchensk — Tue, 04 Nov 2014 21:06:48 GMT

This is a great feature that is implemented by Cisco and Aruba, and should definitely be on Ruckus' radar to implement as well. There should be no need for a complicated radius based vlan solution.

Why is this important? You can assign a vlan pool to a SSID (ex: VLANs 10, 20, & 20), and when a client joins, they are automatically assigned to one of the VLANs (and receive an IP address for that VLAN's subnet). This enables you to easily expand your wireless network without changing the subnet of the existing vlan (by added another VLAN to the ssid), and allows you to decrease the broadcast domain from a single huge vlan/subnet.