If you think that this traffic flow should work then I'd recommend opening a case with TAC to try and get a definitive answer on supported/unsupported. If this flow should work and isn't, then a bug will need to be opened.
With that said, what you are attempting to do is basically what Multizone was developed to accomplish.
Original Message:
Sent: Mar 28, 2024 04:43 AM
From: ssmith764
Subject: Tunnel SSID DHCP issue
Ok, so this is the reason - a bit of a long answer:
The deployment is a large airport spilt into multiple layer 3 domains. The wireless is all common infrastructure owned by the airport and third parties such as retail stores and restaurants are not allowed to deploy their own wireless services, they must use the common infrastructure and buy a service from the airport. Many customers already have a bridge mode service deployed on an AP in their store with an SSID of their own. The user traffic is handed off at layer 2 and can then be managed by the customer with their own broadband service or connection to HQ etc. As you can imagine this causes massive SSID proliferation and secondly, the customer cannot use their wireless service beyond the bounds of their store. We have a common SSID solution broadcast over the entire airport which uses a single tunnel mode SSID with 802.1x authentication. With this, we can give customers a unique username and password and then place them into a VLAN unique to them and this works very well if the customer can place their wired equipment in the airport datacentre as this can then have a direct layer 2 connection to the WLAN controllers. Many times this is not the case though as the customer will have equipment in store which is in a separate layer 3 domain to the WLAN controllers. In this case the only option for the common SSID is to create an MPLS VPN between the two domains which is expensive and complex. There is another reason for not wanting bridge mode anymore and that is because the cyber security team do not like the lack of visibility into user traffic that occurs with bridge mode vs tunnel. We wanted to explore the option of providing the customer with a 505H with a wired port in a VLAN unique to them where they can connect their in store router. The can then use the wireless service anywhere in the airport and we have full visibility of all traffic as it is all tunnelled.
Bear in mind this is a very large airport with multiple terminals. The same customer may have a store in every terminal so to be able to use the egress in one terminal for all stores is very appealing.
For the solution we are looking at, the only issue appears to be the DHCP traffic. If a static IP is set on a wireless device it can access the router on the wired side. If a device is plugged to a second wired port it obtains a IP via DHCP so it is clear that the DHCP request does not pass between wired and wireless. I have also tried changing the ap-uplink-acl to an allowall rule but this didn't work either.
Hopefully this makes sense
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
Original Message:
Sent: Mar 28, 2024 03:29 AM
From: TRS-80
Subject: Tunnel SSID DHCP issue
I'll bite. Why don't you want bridge mode any more?
Original Message:
Sent: Mar 27, 2024 09:46 AM
From: Stewart Smith
Subject: Tunnel SSID DHCP issue
Low IQ response there Leo. If you don't understand it maybe don't bother posting eh?
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
Original Message:
Sent: Mar 27, 2024 09:22 AM
From: leo.ma
Subject: Tunnel SSID DHCP issue
This design is crazy
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
leo ma
ACMX
Original Message:
Sent: Mar 25, 2024 10:38 AM
From: ssmith764
Subject: Tunnel SSID DHCP issue
We are operating our wireless system in a provider model where all AP's are managed by us and customers purchase a wireless service for their demise. Customers typically they will provide their own router and internet service or connectivity to their own corporate systems. For security reasons we no longer want to provide bridge mode services. What we want to do is provide a tunnel mode SSID for the customer and a 505H with a wired port configured in the same VLAN as the tunnel SSID where the customer can connect their own router or other wired devices. With a router running DHCP plugged into the wired port of the AP, wireless clients cannot obtain an IP address. If I set a static IP on the wireless client I am able to ping the router. If I put two wired ports in the same tunnel VLAN, one to the router and one to the client, I can obtain a IP address on a wired client.
The user role is an any any any permit. Broadcast is enabled on the wired ports
Any ideas why the client DHCP broadcast traffic is not reaching the router? I tried debug logging and a packet capture but did not see anything helpful
Setup is MM / MD
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------