03-21-2022 10:49 PM
I couldn't find an answer to this anywhere so I suspect it might be an obvious answer.
Bonus question: Can the wireless clients recieve DHCP leases from a DHCP server at the local site subnet? Or will they be forced to go via the Data Plane?
From what I've read, the Split Tunnel Profile may facilitate in keeping local traffic local but I could have issues with DHCP?
Licensing wise, the scenario above would require a license for vSZ-E, vSZ-D, 10 x APs, 10 x tunnels. Anything else?
Solved! Go to Solution.
04-07-2022 09:07 AM
My colleague forwarded your questions to me. Here are the answers for your questions
For your question 1:
I assume the wireless clients in this case are on the same IP subnet, if so, traffic between these 2 wireless clients will be on the Wireless side and will not be seen at AP WAN port.
My Wireless packet capture shows the packets are sending to clients directly via AP WLAN interface and nothing at AP port or at vDP.
For your questions 2:
Traffic between wireless clients will be tunneling to vDP because AP just knows its current associated wireless clients.
My vDP packet capture shows:
Wireless client 1 ==== AP 1 ==== vDP==== AP 2 ==== Wireless client 2, and vice-versa.
For your Bonus question:
WLAN tunneling is the prerequisite for Spit-tunnel feature. Without checking the option WLAN Tunneling, the Split-Tunnel option will not display. This means wireless client MUST receive IP address from DHCP server behind the tunnel.
04-05-2022 08:31 AM - edited 04-05-2022 08:39 AM
if the Tunnel is used or not is based on the settings in the SSID if you set tunnel mode on or off.
If you bridge traffic only without tunnel mode, you can access the local dhcp server on the network depending which vlan you use. In "tunnel mode" all traffic from the specific SSID is tunneled to the vdp and broke out there to default vlan or the vlan you set.
That means the client does not hit your network in any way except out of the dataplane.
It is a very common use case for a guest wifi where you need to make sure that the "guest" cannot harm your network in any way.
PS: Please read through the vdp requirements. It is a modded kernel and drive the vCPUs assigned to over 80% (1 is management restart are forwarding CPUs). That means you throw in minimal configuration 3 real cores of your cpu and vm host away.
04-05-2022 05:54 PM - edited 04-05-2022 10:29 PM
Thanks for the reply.
So to clarify, in tunnel mode, all traffic between clients will transit the virtual data plane instance?
In bridge mode (the normal, default mode?) the tunnel is never used and so traffic never transits the virtual data plane instance?
04-05-2022 10:04 PM
this is correct and but it depends on setting that wifi clients can see each other in that specific SSID in tunnel mode or not. But if you mean if they can see a client on the other side of tunnel this is correct.
So they would be able to use a DHCP Server in that specific SSID that you put in WiFi if no wireless client isolation is set, but I would not recommend to put such a essential service on WiFi if not really needed. I would Position the dhcp service on other side behind the vdp.
04-06-2022 12:16 AM
another thing. I never traced down the exact traffic flow from tunneled SSID. But I am pretty sure that between different APs it is exchanged via vdp. As the clients will never hit any switch till they go out of vdp. I am just not sure with several cleints on same AP.