Avoiding huge broadcast domains

  • 3
  • Idea
  • Updated 3 years ago
  • Implemented
hello,
For avoiding huge broadcast domains will be great if Ruckus has the feature "vlan range" or "vlan pooling" (it has different naming depending on vendor). with that feature you can configure one SSID and bind to it Vlan ranges. in such way each time when user connects to that SSID it will get an IP address from the different vlan.
One of our costumer has about 5k user in one building. they used above mentioned feature with previous vendor AP's. After migrating to Ruckus wireless we sew that there no such feature, with ruckus you have two options to avoid huge broadcast domains : 1) configure different ssid with the different VLAN , with causes clients to reconnect when they change location in the same building(NOT good idea ) , 2) create wlan groups and bind different vlan to the same SSID, which causes disconnections when roaming occurs, clients sometimes have to disconnect and reconnect(NOT good).

So if there anyone interested in that feature ,please give a support and may be w'll see it in near releases.

regards
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 3
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Could you elaborate on the point?

You can Isolate wireless client traffic from all hosts on the same VLAN/subnet and you can use Proxy ARP now.
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
hello,

these two options client isolation and proxy ARP are good way to avoid huge broadcasts, but dividing client network e.g in several /24 sub nets is better way to avoid broadcast storms, also this is more secure. also client isolation is not always good solution, because some customers need connections between clients, sometimes there are applications which is used by users, there might be not only ARP broadcast in the network , etc
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
You also have the option of L3 and L4 ACLs. Something can be done with that.

You also have the option of dynamic VLANs. So if you're using an auth server of some sort you can have users assigned to a specific vlan from the data in the server.
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
we cant use dynamic vlan option, because there is one open ssid , no authentication needed.

In my opinion ruckus should have such option as vlan range per ssid. this will be a really great solution.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Disagree with your last statement.

Each SSID you broadcast uses up something like 2,3% of BW. So if you have 10 SSIDs you've lost 23% of BW just with that. That's one reason why you have the dynamic VLAN option.

If I understand you correctly you would like an extension of the DHCP relay function into a DHCP relay proxy. I personally haven't had the need for this, but I guess it could be useful in some cases and I would support any enhancement to the RW suite, so +1 for that at least.
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 309 Posts
  • 72 Reply Likes
off-topic query: where did you get that 2.3% figure from Primoz? Not seen it mentioned before. I have a lot of SSIDs and if correct I would try to use fewer. I feel a "what are negative effects of numerous SSIDs" thread coming up!
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Hi Max


Sorry, but I've just now seen that you've asked me this.

The link to this is here

http://www.revolutionwifi.net/p/ssid-...
(Edited)
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
i have deployment with about 5000 users, there is just one open ssid. With ruckus we have to use one huge subnet, with prevous vendor i had several /24 lan and all user were spreaded in these vlans, each connected user was getting ip addresses from these vlans randomly.

I think this is more acurate topology, then you provided. If there is no need to have l3 domains, why we buy routers , from your look bying one l2 device, one huge subnet and client isolation is enough..... I dont think so:)
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
How long did users stay in one subnet?
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
until they were connected, they have ip address from the same lan and no roaming issues. Each disconect/conect causes new ip address assignment.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Sory i didn't specify earlier. I was asking that for the old system. On the old system when an STA connected it got an IP and it kept that even when roaming?
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
i wrote about old system. with previous vendor APs the client device have the same ip address during roaming.
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
I think this could be implemented with dynamic VLANs and a RADIUS server.
It would take a bit of doing, but shouldn't require additional features on the Ruckus ZDs.
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
hello Bill,

can you please tell how do you accomplish this task when there is one OPEN SSID and no need for authentication? in such case you can't use radius server and dynamic vlan
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
The feature is called "mac authentication bypass". I haven't tried it with ruckus APs (yet) but it passes the mac address of the client to the radius server as both the username and the password.
(It should also set a number of other attributes)
The trick then becomes getting your radius server to respond appropriately.
The last time I checked, the microsoft radius server it was not very flexible.
(but nowadays there might be a way to integrate with powershell for customization?)
I ended up rigging a linux/freeradius server to call an external script and was able to get the radius server to provide any response I wanted.

In my case, the script searched a registration "database" (text file) to force registered machines into a particular VLAN and unknown machines into a "guest" VLAN.

If you're willing+able to script the logic yourself, you could tailor RADIUS responses to balance the number of machines in each VLAN, etc.

Also, most NAC solutions (like packetfence) can integrate with wireless devices using mac authentication bypass.
(but I'm not sure they'd provide the exact feature / customization you're looking for)

Let me know if/what other details you need.
Photo of Temur Kalandia

Temur Kalandia

  • 24 Posts
  • 2 Reply Likes
hello Bill,

this must be slimier then you have done.. struggling with radius server is not a good solution, you still need authenticate users and unauthenticated users you are putting into one vlan... i think that solution is not accurate and appropriate for my task.

i have working previously with several wireless vendors , they have that feature with simple configuration steps. there is no need for radius and any of external authentication mechanisms, authentication is completely removed .

task is simple : one open SSID, several VLAN's. to each connected user will be randomly allocated IP addresses from these VLAN's and they can roam seamlessly between AP's. :)

if someone in ruckus development group is really needs to deeply understand that feature i can provide all information to implement this great feature in Ruckus wireless.
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
I agree that implementing this feature through an external RADIUS server would be a "project". (as opposed to having a convenient vendor feature)

The level of difficulty may make my solution inappropriate for you.
I'm just pointing out that (if you're willing to put in the time effort and resources) you can have a large number of clients in one SSID but balanced between a number of VLANs.

I'm assuming a single, unauthenticated SSID.
The solution would change slightly if you require both authenticated and unauthenticated clients.

... In theory, you *could* put authenticated and unauthenticated users in a single VLAN but I'm not sure I understand the use-case for that.
Photo of ALEX CORDOVA

ALEX CORDOVA

  • 4 Posts
  • 0 Reply Likes
hi there... i was reading to understood what happens when an AP has for example 4 SSID... the antena radiates 4 RF signals to that...or how it ocurss ???

regards...
Photo of Daniel Kuchenski

Daniel Kuchenski

  • 6 Posts
  • 2 Reply Likes
This is a great feature that is implemented by Cisco and Aruba, and should definitely be on Ruckus' radar to implement as well. There should be no need for a complicated radius based vlan solution.

Why is this important? You can assign a vlan pool to a SSID (ex: VLANs 10, 20, & 20), and when a client joins, they are automatically assigned to one of the VLANs (and receive an IP address for that VLAN's subnet). This enables you to easily expand your wireless network without changing the subnet of the existing vlan (by added another VLAN to the ssid), and allows you to decrease the broadcast domain from a single huge vlan/subnet.
Photo of Rahul Koul

Rahul Koul, Employee

  • 75 Posts
  • 12 Reply Likes
To all,

The feature of VLAN pooling will be available in version 9.9 so please wait until the release is made public. As of now we do not have any ETA for it.

-Rahul
Photo of Daniel Kuchenski

Daniel Kuchenski

  • 6 Posts
  • 2 Reply Likes
Great, thanks for the update Rahul!
Photo of Michael Brado

Michael Brado, Official Rep

  • 2106 Posts
  • 297 Reply Likes
Another cause of broadcast flooding has been determined to be bad Intel NICs that
spew IPv6 discover packets. Simply configuring ZD/APs as IPv4-only does not help.
We still have to inspect all packets. If IPv6 is not important to applications used,
please filter at higher level routers/switches.