Wireless Access

My current setup has our wireless and wired laptop users put onto the same subnet, but I'm wondering what the best practice for this actually is.

One of the problems I've encountered with this setup, is when a laptop is hooked up to a docking station and has both a wired and wireless connection on the same subnet. Usually windows would prioritize the ethernet connection, but this isn't always the case. Users lose connection intermittently due to having 2 nics on the same subnet. 

What designs are other poeple using?

Best practice use a different subnets for wired, wireless and guests.

Keep your subnets small as 255.255.255.0. When you need more than 254 ip addresses, create an extra vlan. With Aruba wirelless controllers you can use vlan-pooling to spread wireless clients in different guest vlans.

Is there a reason behind keeping them in separate subnets outside of reducing the broadcast domain?

My deployment is limited by hardware for the amount of VLANs we have, so we've had to make some larger subnets, one being the wired/wireless for office workers. (changes to this in 1-2 years hopefully). We're currently at max VLAN capacity (245 vlans).

If you are reaching your VLAN limit and are already using larger subnets then consider using a single VLAN architecture for WLAN. I've attached a doc which explains this in further detail. You will still need to keep LAN and WLAN separate.

Attachment(s)

Single VLAN Architecture for WLAN.pdf   1.31 MB 1 version

Thank you for the guide, I'll give it a read.

You also suggest to keep the WLAN and LAN on separate subnets. The guide may cover this, which I'll get to shortly, but what reasons are there to keeping them separate? The only one I'm able to see at this time is to keep their broadcast domains separate.

Lastly, wired and wireless clients should not be sharing the same VLAN. Use separate VLANs for wired clients and, if needed, use multiple smaller subnets to restrict broadcast domain for wired devices. The Single VLAN architecture is for wireless LAN only, as the controller has a lot of visibility and control over wireless users, but none for wired devices. The obvious problems related to large VLANs on wired networks still apply.

Keep wired and wireless in seperate broadcastdomains if you can. Else the wired broadcast will flooding your wireless network. Wireless networks are halfduplex ;)

There is a feature in Aruba you can convert broadcast to unicast packets.

My understanding of this now is that keeping wired and wireless on different subnets is a best practice, but the impact if they are isn't significant, depending on the amount of clients and subnet size? Basically the same as any large subent with a large client base.

The 2nd part to my original post is how everyone handles devices with two interfaces, wired and wireless for laptops. Usually ethernet takes priority when connected, but not always. Having two network interfaces with gateways assigned will cause conflicts. I try to educate users to disable wireless when docked, as windows doesnt always act as expected. Any better solutions?

Keeping wired and wireless separate was mainly a concern due to all of the broadcasts that wired traffic creates.  Those broadcasts degrade wireless traffic.  We do have very good broadcast suppression, so why keep them separate anymore?  Answer: To separate your troubleshooting and security domains.  You want to be able to quicly compare any problems you have on the wireless network with the wired network to diagnose problems quickly.  In an Aruba network, you can apply roles to traffic, which can limit what specific types of users can do.  If you mix those users with wired users, it will affect that security model.  You also in many circumstances would want treat wired and wireless clients differently.  Keeping them in different VLANs allows you to do that.

Windows prefers the interface that has the highest cost (output of the "route print" command).  If your wired users only have a 100meg interface, Windows will prefer a wireless interface that negotiates at 200megs. If your users connect via a gigabit ethernet connection, it is much less likely that windows would prefer the wireless interface for traffic, even though it would still be connected and send broadcasts to that client.  

Some Windows wireless drivers have an option to disable wireless when wired is connected.

When devices are dual-connected, at times wired traffic will "leak" to the wireless side and create a duplicate user in the user table on the WLC with the wired ip address for that user.  You can deal with that by enabling "enforce dhcp" on the AAA profile, or by editing the validuser ACL to only allow clients requesting ip addresses from wireless subnets.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-validuser-ACL-and-its-uses/ta-p/178584