Showing results for 
Search instead for 
Did you mean: 

One SSID with multiple subnets and clients roaming between subnets

New Contributor II
I'm making some big changes to the LAN that will affect how our APs and ZoneDirector are configured. I'm at the planning stage so nothing is set in stone yet. This is what I would like, not necessarily what I'll end up doing.

We have a large site, about 200 acres, each building or open area has it's own subnet (about 12 subnets). APs have the ZD's IP set static. The APs get a local management IP address via DHCP and connects back to the ZD over the Layer-3 (routed) network. I'll need to have 3 or 4 SSIDs that ultimately need varying levels of security, I'll call the SSIDs LOW, MID, HIGH, and GUEST. I'd like to keep the number of WLAN subnets down and keep the same vlan on the SSID regardless of which LAN switch it is serviced through.

So two wireless clients who are relatively close and on the same SSID could be in different subnets, this wouldn't be a problem. But if a client roams from one subnet to another it would need to renew it's IP and some of our applications will not survive this. So how do I get around this? I've worked with other products that solve this issue by using L3 tunneling between APs and the controller so the wireless client can retain it's IP even when that subnet isn't directly attached to it's current AP. Of course this add to the LAN traffic on the APs and to the mesh traffic on APs that aren't root. Most of the security would be ACLs not vlans or subnets.

What are my alternatives? Am I over thinking this? Will it tunnel the L3 traffic? Is the extra traffic too little to be concerned with?



Contributor II
Short answer - don't do it.
Having the same SSID on different VLANs is asking for trouble.  Roaming is always client-driven, so you have no control over when a client will roam and to which AP.  Also, some clients do not renew their IP when they roam from one AP to another within the same SSID.  Remember the client doesn't know it's switching VLANs, so it assumes it's still good to go on its old IP.

You have a couple of options (in order of my preference):
a) Reconfigure your wired LAN to have a flat VLAN for WiFi throughout the entire property.  Management of the APs can be on different VLANs, but the WiFi clients would all be on the same VLAN irrespective of which switch they are on.

b) tunnel - as you mentioned, the solution is usually to tunnel all traffic back to the controller.  The main bottleneck here will be the controller itself, since the ZD only uses a single Gigabit port for all traffic - effectively giving you about 500Mbps of total bandwidth throughout your LAN*.

c) use different SSIDs on each VLAN.  Clients will need to switch SSIDs as they move through the campus.

d) Enable 'Force DHCP' on the VLANs.  This will mean that a client will be kicked out if it doesn't send a DHCP request within X seconds of joining/roaming an AP.  Not the cleanest and some clients don't like to be kicked out.

*  If this is your only/preferred option and you need more than 500Mbps of throughput, you may wish to consider migrating to a SZ-124 which has two 10Gbps SFP+ ports dedicated to tunnelling.

Andrea hit it on the head, and in the right order.  

I came from a company that did offer that client tunneling feature (IP mobility I think it was called), but that had it's own issue.  A good example of this short coming is if your "home" network is in building A and you roam to building Z and you want to print to a printer in building Z, the print traffic has to traverse all the way back to Building A first then get routed to the printer in building Z. That was a problem for the network admin at the time sine they wanted to keep the building network separate and did not want the building to talk to each other.

They might have changed one or the other, wlan config or network routing policy, to make it work.


In refrence to
d) Enable 'Force DHCP' on the VLANs.  This will mean that a client will be kicked out if it doesn't send a DHCP request within X seconds of joining/roaming an AP.  Not the cleanest and some clients don't like to be kicked out.
Be careful as there is a bug with Force DHCP which stops internet tarffic to clients when they roam between AP's on firmware and upwards, and has yet to be fixed (I have a case open with Ruckus Support)

Have you thought about 1 x SSID and Dynamic VLANs:

I think Randall is talking about the kind of network w/ routed connections between each building, where the same subnets are not available in all buildings.

If that's the case, Dynamic VLANS (by themselves) will not be able to solve the problem.