temur_kalandia's profile

24 Messages

 • 

420 Points

Tue, Feb 18, 2014 7:09 AM

0

Avoiding huge broadcast domains

hello,
For avoiding huge broadcast domains will be great if Ruckus has the feature "vlan range" or "vlan pooling" (it has different naming depending on vendor). with that feature you can configure one SSID and bind to it Vlan ranges. in such way each time when user connects to that SSID it will get an IP address from the different vlan.
One of our costumer has about 5k user in one building. they used above mentioned feature with previous vendor AP's. After migrating to Ruckus wireless we sew that there no such feature, with ruckus you have two options to avoid huge broadcast domains : 1) configure different ssid with the different VLAN , with causes clients to reconnect when they change location in the same building(NOT good idea ) , 2) create wlan groups and bind different vlan to the same SSID, which causes disconnections when roaming occurs, clients sometimes have to disconnect and reconnect(NOT good).

So if there anyone interested in that feature ,please give a support and may be w'll see it in near releases.

regards

Responses

Champion

 • 

368 Messages

 • 

5.6K Points

7 y ago

Could you elaborate on the point?

You can Isolate wireless client traffic from all hosts on the same VLAN/subnet and you can use Proxy ARP now.

24 Messages

 • 

420 Points

7 y ago

hello,

these two options client isolation and proxy ARP are good way to avoid huge broadcasts, but dividing client network e.g in several /24 sub nets is better way to avoid broadcast storms, also this is more secure. also client isolation is not always good solution, because some customers need connections between clients, sometimes there are applications which is used by users, there might be not only ARP broadcast in the network , etc

Champion

 • 

368 Messages

 • 

5.6K Points

7 y ago

You also have the option of L3 and L4 ACLs. Something can be done with that.

You also have the option of dynamic VLANs. So if you're using an auth server of some sort you can have users assigned to a specific vlan from the data in the server.

24 Messages

 • 

420 Points

7 y ago

we cant use dynamic vlan option, because there is one open ssid , no authentication needed.

In my opinion ruckus should have such option as vlan range per ssid. this will be a really great solution.

Champion

 • 

368 Messages

 • 

5.6K Points

7 y ago

Disagree with your last statement.

Each SSID you broadcast uses up something like 2,3% of BW. So if you have 10 SSIDs you've lost 23% of BW just with that. That's one reason why you have the dynamic VLAN option.

If I understand you correctly you would like an extension of the DHCP relay function into a DHCP relay proxy. I personally haven't had the need for this, but I guess it could be useful in some cases and I would support any enhancement to the RW suite, so +1 for that at least.

Champion

 • 

337 Messages

 • 

5.5K Points

off-topic query: where did you get that 2.3% figure from Primoz? Not seen it mentioned before. I have a lot of SSIDs and if correct I would try to use fewer. I feel a "what are negative effects of numerous SSIDs" thread coming up!

Champion

 • 

368 Messages

 • 

5.6K Points

Hi Max


Sorry, but I've just now seen that you've asked me this.

The link to this is here

http://www.revolutionwifi.net/p/ssid-...

24 Messages

 • 

420 Points

7 y ago

i have deployment with about 5000 users, there is just one open ssid. With ruckus we have to use one huge subnet, with prevous vendor i had several /24 lan and all user were spreaded in these vlans, each connected user was getting ip addresses from these vlans randomly.

I think this is more acurate topology, then you provided. If there is no need to have l3 domains, why we buy routers , from your look bying one l2 device, one huge subnet and client isolation is enough..... I dont think so:)

Champion

 • 

368 Messages

 • 

5.6K Points

How long did users stay in one subnet?

24 Messages

 • 

420 Points

7 y ago

until they were connected, they have ip address from the same lan and no roaming issues. Each disconect/conect causes new ip address assignment.

Champion

 • 

368 Messages

 • 

5.6K Points

Sory i didn't specify earlier. I was asking that for the old system. On the old system when an STA connected it got an IP and it kept that even when roaming?

24 Messages

 • 

420 Points

7 y ago

i wrote about old system. with previous vendor APs the client device have the same ip address during roaming.

Champion

 • 

202 Messages

 • 

3K Points

7 y ago

I think this could be implemented with dynamic VLANs and a RADIUS server.
It would take a bit of doing, but shouldn't require additional features on the Ruckus ZDs.

24 Messages

 • 

420 Points

7 y ago

hello Bill,

can you please tell how do you accomplish this task when there is one OPEN SSID and no need for authentication? in such case you can't use radius server and dynamic vlan

Champion

 • 

202 Messages

 • 

3K Points

7 y ago

The feature is called "mac authentication bypass". I haven't tried it with ruckus APs (yet) but it passes the mac address of the client to the radius server as both the username and the password.
(It should also set a number of other attributes)
The trick then becomes getting your radius server to respond appropriately.
The last time I checked, the microsoft radius server it was not very flexible.
(but nowadays there might be a way to integrate with powershell for customization?)
I ended up rigging a linux/freeradius server to call an external script and was able to get the radius server to provide any response I wanted.

In my case, the script searched a registration "database" (text file) to force registered machines into a particular VLAN and unknown machines into a "guest" VLAN.

If you're willing+able to script the logic yourself, you could tailor RADIUS responses to balance the number of machines in each VLAN, etc.

Also, most NAC solutions (like packetfence) can integrate with wireless devices using mac authentication bypass.
(but I'm not sure they'd provide the exact feature / customization you're looking for)

Let me know if/what other details you need.

24 Messages

 • 

420 Points

7 y ago

hello Bill,

this must be slimier then you have done.. struggling with radius server is not a good solution, you still need authenticate users and unauthenticated users you are putting into one vlan... i think that solution is not accurate and appropriate for my task.

i have working previously with several wireless vendors , they have that feature with simple configuration steps. there is no need for radius and any of external authentication mechanisms, authentication is completely removed .

task is simple : one open SSID, several VLAN's. to each connected user will be randomly allocated IP addresses from these VLAN's and they can roam seamlessly between AP's. :)

if someone in ruckus development group is really needs to deeply understand that feature i can provide all information to implement this great feature in Ruckus wireless.

Champion

 • 

202 Messages

 • 

3K Points

7 y ago

I agree that implementing this feature through an external RADIUS server would be a "project". (as opposed to having a convenient vendor feature)

The level of difficulty may make my solution inappropriate for you.
I'm just pointing out that (if you're willing to put in the time effort and resources) you can have a large number of clients in one SSID but balanced between a number of VLANs.

I'm assuming a single, unauthenticated SSID.
The solution would change slightly if you require both authenticated and unauthenticated clients.

... In theory, you *could* put authenticated and unauthenticated users in a single VLAN but I'm not sure I understand the use-case for that.

6 Messages

 • 

140 Points

7 y ago

hi there... i was reading to understood what happens when an AP has for example 4 SSID... the antena radiates 4 RF signals to that...or how it ocurss ???

regards...

7 Messages

 • 

192 Points

7 y ago

This is a great feature that is implemented by Cisco and Aruba, and should definitely be on Ruckus' radar to implement as well. There should be no need for a complicated radius based vlan solution.

Why is this important? You can assign a vlan pool to a SSID (ex: VLANs 10, 20, & 20), and when a client joins, they are automatically assigned to one of the VLANs (and receive an IP address for that VLAN's subnet). This enables you to easily expand your wireless network without changing the subnet of the existing vlan (by added another VLAN to the ssid), and allows you to decrease the broadcast domain from a single huge vlan/subnet.

Important Announcement