1. Home
  2. Cisco Systems
  3. Can VACL work properly when inter-subnet roaming?

Can VACL work properly when inter-subnet roaming?

Hello!

I just learn the wireless roaming. I have a doubt about inter-subnet roaming.

Refer to

formatting link
When inter-subnet roaming occurs, the wireless client moves from a subnet/VLAN-x to subnet/VLAN-y. Besides, after roaming, data sent from the client will be fowarded as VLAN-y data, even though data destined to the client still belong to VLAN-x.

Assume that a VACL has been configured previously to impose some effects over the client, but the VACL only filts data in VLAN-x. After inter-subnet roaming, all data generated by the client are forwarded as VLAN-y's data, it seems that the VACL cannot filt them any longer.

Is my understanding correct?

Thank you.

Reply to
worldwidestar
Loading thread data ...

to

formatting link

As I understand them, the VACLs only affect traffic that goes in or out of the virtual LAN. Therefore, if the traffic is not coming in and being redirected, then no the VACL would not inspect the traffic and permit/deny. I'm not an expert on wireless roaming, but provided your VACL is based on destination traffic and not source, I would think it should be as flexible as you need it, as then you can just place the same VACL on all your wireless networks.

Reply to
Trendkill

to

formatting link

Hi, Mr.Trendkill.

VACL doesn't affect any traffic go out/into a VLAN, but only those within the VLAN.

So suppose we have configured a VACL for VLAN-x, in order to forbid communication between client-a and client-b. Before roaming, all traffic between client-a and clien-b belong to VLAN-x.

After roaming, client-a moves its association from AP-1 to AP-2. Now, if client-a sends (not receives) data to client-b, the data belongs to VLAN-y (not VLAN-x). Thus, these data will be forwarded into VLAN-x, to client-b, without inspection of VACL.

I have not enough devices to do some experiments. I can only guess it abstractly. Hope someone could give a clear answer.

Reply to
worldwidestar

to

formatting link

VACLs do affect traffic going into/out of a VLAN on a particular switch. I have many VACLs in my production network for sniffing activities that basically copy all traffic to or from a particular source or destination, including some VACLs that are VLAN wide. The VACLs are then used to send traffic to a port with a sniffer on it. If the VACLs are not referenced when traffic comes in or out of a VLAN on a particular switch, then when are they? And when would the switch know when to run traffic through the ACL in the VACL? ACLs are always used when traffic is sent or received on a particular logical or virtual interface, and in this case, its the layer 2 VLAN, as opposed to the layer 3 SVI on a MSFC which is how regular ACLs work.

In the you reference above, any traffic received on a switch port by a particular switch, would be run through that VACL as that traffic is coming 'into' that vlan on that switchport. Granted logically it is already in that VLAN, but that is the first time the switch has seen it. Therefore, you want a VACL to block all traffic not to/from the gateway in any vlans that are assigned to wireless clients. When this becomes tricky is when they are split into different networks and you still want to block access, which I would do with a regular ACL on the MSFC or router to block all traffic between the wireless networks completely.

Reply to
Trendkill

Hi, Mr.Trendkill.

Hmm, I recall it.

The TCAM performs the entire VACL match and action, as packets are

***switched or bridged within a VLAN***, or ***routed into or out of a VLAN***.

Thank you for reminding.

So VACL can still work properly when clients do inter-subnet roaming.

Reply to
worldwidestar

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.