Wireless Access

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

Fairly certain this isn't a tested or validated scenario and as such this isn't a supported configuration.

Pretty sure a DHCP broadcast isn't going to be sent back to the same AP that the client is connected to, not certain that the broadcast would be forwarded even to another AP.  DHCP servers are expected to be on the LAN side of the controller.

Is there a reason you aren't using Instant and AirWave to provide this service?

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

I am thinking that the broadcast should just be passed into the VLAN. Its not really a case of sending it back to the same AP as the same thing does work when I place two wired ports into the same VLAN. 

Is there a reason you aren't using Instant and AirWave to provide this service? - Yes, this is an existing large deployment with controllers and campus AP's. We don't want to use bridge mode either.

Fairly certain this isn't a tested or validated scenario and as such this isn't a supported configuration.

Pretty sure a DHCP broadcast isn't going to be sent back to the same AP that the client is connected to, not certain that the broadcast would be forwarded even to another AP.  DHCP servers are expected to be on the LAN side of the controller.

Is there a reason you aren't using Instant and AirWave to provide this service?

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

When you tested the two wired ports, did you happen to check if the sessions show up in the datapath table?

I am thinking that the broadcast should just be passed into the VLAN. Its not really a case of sending it back to the same AP as the same thing does work when I place two wired ports into the same VLAN. 

Is there a reason you aren't using Instant and AirWave to provide this service? - Yes, this is an existing large deployment with controllers and campus AP's. We don't want to use bridge mode either.

Fairly certain this isn't a tested or validated scenario and as such this isn't a supported configuration.

Pretty sure a DHCP broadcast isn't going to be sent back to the same AP that the client is connected to, not certain that the broadcast would be forwarded even to another AP.  DHCP servers are expected to be on the LAN side of the controller.

Is there a reason you aren't using Instant and AirWave to provide this service?

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

This design is crazy

------------------------------
If my post was useful, please Accept Solution and Give Kudos.

leo ma

ACMX

Original Message:
Sent: Mar 25, 2024 10:38 AM
From: ssmith764
Subject: Tunnel SSID DHCP issue

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?

This design is crazy

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

I'll bite. Why don't you want bridge mode any more?

Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?

This design is crazy

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

Ok, so this is the reason - a bit of a long answer:

The deployment is a large airport spilt into multiple layer 3 domains. The wireless is all common infrastructure owned by the airport and third parties such as retail stores and restaurants are not allowed to deploy their own wireless services, they must use the common infrastructure and buy a service from the airport. Many customers already have a bridge mode service deployed on an AP in their store with an SSID of their own. The user traffic is handed off at layer 2 and can then be managed by the customer with their own broadband service or connection to HQ etc. As you can imagine this causes massive SSID proliferation and secondly, the customer cannot use their wireless service beyond the bounds of their store. We have a common SSID solution broadcast over the entire airport which uses a single tunnel mode SSID with 802.1x authentication. With this, we can give customers a unique username and password and then place them into a VLAN unique to them and this works very well if the customer can place their wired equipment in the airport datacentre as this can then have a direct layer 2 connection to the WLAN controllers. Many times this is not the case though as the customer will have equipment in store which is in a separate layer 3 domain to the WLAN controllers. In this case the only option for the common SSID is to create an MPLS VPN between the two domains which is expensive and complex. There is another reason for not wanting bridge mode anymore and that is because the cyber security team do not like the lack of visibility into user traffic that occurs with bridge mode vs tunnel. We wanted to explore the option of providing the customer with a 505H with a wired port in a VLAN unique to them where they can connect their in store router. The can then use the wireless service anywhere in the airport and we have full visibility of all traffic as it is all tunnelled.

Bear in mind this is a very large airport with multiple terminals. The same customer may have a store in every terminal so to be able to use the egress in one terminal for all stores is very appealing.

For the solution we are looking at, the only issue appears to be the DHCP traffic. If a static IP is set on a wireless device it can access the router on the wired side. If a device is plugged to a second wired port it obtains a IP via DHCP so it is clear that the DHCP request does not pass between wired and wireless. I have also tried changing the ap-uplink-acl  to an allowall rule but this didn't work either.

Hopefully this makes sense 

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------

Original Message:
Sent: Mar 28, 2024 03:29 AM
From: TRS-80
Subject: Tunnel SSID DHCP issue

I'll bite. Why don't you want bridge mode any more?

Original Message:
Sent: Mar 27, 2024 09:46 AM
From: Stewart Smith
Subject: Tunnel SSID DHCP issue

Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA

Original Message:
Sent: Mar 27, 2024 09:22 AM
From: leo.ma
Subject: Tunnel SSID DHCP issue

This design is crazy

------------------------------
If my post was useful, please Accept Solution and Give Kudos.

leo ma

ACMX

Original Message:
Sent: Mar 25, 2024 10:38 AM
From: ssmith764
Subject: Tunnel SSID DHCP issue

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?

This design is crazy

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD

Please consider that this is an international forum, and not all contributors master the English language to the same level. This is a quite exceptional/rare situation, which may be what that response was meant to say but with (maybe even Google translate) poor translation.

Personally, I would +1 the chulcher response as I would not see why this would not work, but it is an interesting application of the technology that I have not seen/considered before. Which is something that can bring exciting new insights, so please let us know if you got further to make this work.

Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?

This design is crazy

We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client. 

The user role is an any any any permit. Broadcast is enabled on the wired ports

Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful

Setup is MM / MD