Wireless Access

I am planning to replace about 20 remote branch office firewalls with RAPs.  Most offices will have a few wireless laptops connected and a wired network printer.  I plan to create a VLAN for workstations and a VLAN for printers.  I have the following questions/concerns:

Should all branch's wireless clients be in the same VLAN assuming they can all fit?  When this is done, doesn't broadcast traffic traverse each RAP's IPSec tunnel, wasting bandwidth?  If so, shouldn't that be a concern and can it be mitigated without causing network connectivity issues?

Should the wired printers be configured on a separate VLAN?  If so, can the RAP allow local connectivity between the wireless workstation VLAN and the wired printer VLAN?  Again, my concern is minimizing traffic that traverses the tunnel.

I would appreciate any input.  Thank you.

Is it tunnel/Split-tunnel/bridge mode?

if it is a tunnel mode all the traffic from the workstation would come to the controller and goes back to the printer. Having seperate vlan will reduce the broacast traffic to certain level. it is comparitively slower than bridge mode.

In the Bridge mode the traffic is locally routed, instead of sending it to the controller.But you would need another L3 switch locaaly to configure the VLans or gateway.  

Sorry, I should've specified the mode.  I had only planned to do tunnel mode for both workstations and printers.

I'd like to avoid adding any more complexity and cost to the branch networks, so sending a router to the branches probably will not happen.

Is there a way to create separate VLANs for different branch offices without using different AP groups?  If broadcast traffic isn't a big problem, then I probably won't mess with creating different VLANs.  I'm curious to know if anyone shares the same concern.

Thanks for the Reply. 

Since you are using one RAP per location, it is not possible to have multiple ap-group. you can still map seperate vlan to printer and the workstation. 

if the printer and workstation are wireless, you can use UDR matching the printer OUI to allocate seperate VLAN to printers. 

if the printers are wired, you can map the respective port to a printer vlan and have workstations (wireless) to use a different VLAN. 

There are multiple things to consider here

• Do the printers have to be in tunnel mode? If you just need the printers for local access at remote sites. You can configure the wired ported on a RAP for bridge mode and allow the users in split-tunnel mode to use local printers. This way the printing traffic doesn't have to traverse the WAN and remains local.
• It is better to sub-divide the VLAN rather than using one big VLAN.You say a few wireless clients. So assuming 20 clients per site you can use 4-5 sites per VLAN, i.e. one AP group for 4 or 5 sites. A VLAN with 60-80 devices is a good number because it reduces the broadcast traffic greatly. Remember, that arp request can easily flood your network and increase the WAN bandwidth usage. Any arp requet for which the controller
• With users in tunnel mode all traffic is forwarded to the controller, even the internet traffic. If your network policy requires this then it is fine. However, if each of you remote site is only going to have 20 -25 devices and one RAP per site, then you can use split-tunnel mode where only the corporate destinations are tunneled to the controller and reset of the internet traffic such as web browsing and youtube will be appropriately scr-nated and routed out through the local ISP by the RAP. split-tunnel mode is not recommeded for sites with two or more RAPs becasue roaming in split-tunnel mode is not recommended.
• The controller has Knobs such as ip locap proxy arp to minimize the ARP traffic. Knobs like bc/mc optimization can also be used on per VLAN basis to drop all broadcast/multicast traffic except ARP, DHCP and VRRP.

Regards,

Sathya

Great post, sathya.  I have one question, though regarding the following statement:

Do the printers have to be in tunnel mode? If you just need the printers for local access at remote sites. You can configure the wired ported on a RAP for bridge mode and allow the users in tunnel mode to use local printers. This way the printing traffic doesn't have to traverse the WAN and remains local.

The printers only need to be accessible by the remote sites.  So if I were to bridge a wired port just for the printers, how does a tunneled wireless client talk to the printer on the bridged port?  Wouldn't the client need to be on split-tunnel?

Sorry, i tried to mean split-tunnel.

Thank you

Sathya

I've got myself a little confused, now.

I'd like to setup split-tunnel so that all corporate AND internet traffic is tunneled back to the controller.  The only traffic not tunneled would be traffic destined to the local network printer on a bridged port.  I intend on designating 192.168.1.X/24 as the local network and it will only contain the network printer.

After reading a bit, it seems to me that the non-tunneled traffic will exit the RAP's 0 interface and will be source NAT'd with the RAP's IP address, which in my case will be a public address.  If that's the case, the traffic that is destined for the printer won't get there since the printer is on a wired bridge port.  Is this really the case?  If so, is there any way to configure it so that traffic to the printer is source NAT'd w/an IP address in the network printers subnet (i.e 192.168.1.1) and is allowed out the bridged port?

Thanks.

when you configure the user roles instead of using scr-nat you will use the route scr-nat command. The route scr-nat command works differerntly than a scr-nat.  The “route scr-nat” action properly source-NATs the traffic depending on the destination and eliminates the need to define static NAT pools. If the traffic is bound to the Internet, then the source-NATing is performed using the RAP IP address obtained from the ISP or home router. If the traffic is bound to a local subnet for which the RAP is the DHCP server or gateway, then the source-NATing is performed using the gateway IP of this local subnet. 

!

ip access-list session remote-employee

  user   alias printers-local-subnet any  route src-nat ------> this should properly scr-nat the traffic based on the destination

  user any any  permit  ---->this will tunnel the traffic

!

the printers-local-subnet is the alias that defines the 192.168.1.x network.

Test to see if this works for you.

Regards,

Sathya

This is some great info, sathya.  I appreciate your help.

I'm trying to put this all together to make sure I'm understanding all of the pieces to make this work.  I had to read up about creating a DHCP pool on the RAP, but I think I've got it.  Here is what I consider to be the majority of the config needed to do what I want:

// Create AP Profile w/backup DHCP pool
ap system-profile "ap_system_profile"
  rap-dhcp-default-router 192.168.1.1
  rap-dhcp-lease 1
  rap-dhcp-pool-netmask 255.255.255.0
  rap-dhcp-pool-start 192.168.1.10
  rap-dhcp-pool-end 192.168.1.50
  rap-dhcp-server-id 192.168.1.1
  rap-dhcp-server-vlan 192

// Create wired AP profile for printer
ap wired-ap-profile "ap_wired_ap_prof"
  wired-ap-enable
  switchport access vlan 192
  forward-mode bridge

// Create wired port profile
ap wired-port-profile "ap_wired_port_prof"
  wired-ap-profile "ap_wired_ap_prof"
  aaa-profile "remote_employee_role"

// Create printer network alias
netdestination printers_local_subnet
  network 192.168.1.0 255.255.255.0

// Create split-tunnel ACL for authenticated wireless user
ip access-list session remote_employee
  user alias printers_local_subnet any route src-nat
  user any any  permit

// Create role for authenticated wireless user
user-role remote_employee_role
  session-acl remote_employee

Does that that look correct as far as your suggestions goes?

// Create printer network alias
netdestination printers_local_subnet
  network 10.0.0.0 255.0.0.0

The newtork for printer alias should be 192.168.1.x because if the printers are in the bridge port they get ip from this subnet.

The VAP for wirelees users will have the corprorate VLAN for 10.0.0.x subnet i.e. the users will get ip from the HQ DHCP server.

The user role assigned for printers should allow connection to printers from user subnet, so you can either do "any any any allow" for printers but for security purposes you can define a alias called internal-network with network 10.0.0.0 and have the "alias internal-network  alias pinter-local-subnet any permit". This way only the corp users can access the printers.

Regards,

Sathya

---

@sathya wrote:

// Create printer network alias
netdestination printers_local_subnet
  network 10.0.0.0 255.0.0.0

 

The newtork for printer alias should be 192.168.1.x because if the printers are in the bridge port they get ip from this subnet.

 

---

Sorry, that was a copy/paste error on my part.

---

@sathya wrote:

The user role assigned for printers should allow connection to printers from user subnet, so you can either do "any any any allow" for printers but for security purposes you can define a alias called internal-network with network 10.0.0.0 and have the "alias internal-network  alias pinter-local-subnet any permit". This way only the corp users can access the printers.

---

Thanks!  I'll define the source and destination networks since I'm slightly paranoid. :)

Thank you for all the help, sathya.