Can VACL work properly when inter-subnet roaming?

Discussion in 'Cisco' started by worldwidestar, Oct 21, 2007.

  1. Hello!

    I just learn the wireless roaming. I have a doubt about inter-subnet
    roaming.

    Refer to http://www.cisco.com/en/US/i/100001-200000/150001-160000/155001-156000/155264.jpg.

    When inter-subnet roaming occurs, the wireless client moves from a
    subnet/VLAN-x to subnet/VLAN-y. Besides, after roaming, data sent from
    the client will be fowarded as VLAN-y data, even though data destined
    to the client still belong to VLAN-x.

    Assume that a VACL has been configured previously to impose some
    effects over the client, but the VACL only filts data in VLAN-x. After
    inter-subnet roaming, all data generated by the client are forwarded
    as VLAN-y's data, it seems that the VACL cannot filt them any longer.

    Is my understanding correct?

    Thank you.
     
    worldwidestar, Oct 21, 2007
    #1
    1. Advertisements

  2. worldwidestar

    Trendkill Guest

    As I understand them, the VACLs only affect traffic that goes in or
    out of the virtual LAN. Therefore, if the traffic is not coming in
    and being redirected, then no the VACL would not inspect the traffic
    and permit/deny. I'm not an expert on wireless roaming, but provided
    your VACL is based on destination traffic and not source, I would
    think it should be as flexible as you need it, as then you can just
    place the same VACL on all your wireless networks.
     
    Trendkill, Oct 22, 2007
    #2
    1. Advertisements


  3. Hi, Mr.Trendkill.

    VACL doesn't affect any traffic go out/into a VLAN, but only those
    within the VLAN.

    So suppose we have configured a VACL for VLAN-x, in order to forbid
    communication between client-a and client-b. Before roaming, all
    traffic between client-a and clien-b belong to VLAN-x.

    After roaming, client-a moves its association from AP-1 to AP-2. Now,
    if client-a sends (not receives) data to client-b, the data belongs to
    VLAN-y (not VLAN-x). Thus, these data will be forwarded into VLAN-x,
    to client-b, without inspection of VACL.

    I have not enough devices to do some experiments. I can only guess it
    abstractly. Hope someone could give a clear answer.
     
    worldwidestar, Oct 23, 2007
    #3
  4. worldwidestar

    Trendkill Guest

    VACLs do affect traffic going into/out of a VLAN on a particular
    switch. I have many VACLs in my production network for sniffing
    activities that basically copy all traffic to or from a particular
    source or destination, including some VACLs that are VLAN wide. The
    VACLs are then used to send traffic to a port with a sniffer on it.
    If the VACLs are not referenced when traffic comes in or out of a VLAN
    on a particular switch, then when are they? And when would the switch
    know when to run traffic through the ACL in the VACL? ACLs are always
    used when traffic is sent or received on a particular logical or
    virtual interface, and in this case, its the layer 2 VLAN, as opposed
    to the layer 3 SVI on a MSFC which is how regular ACLs work.

    In the you reference above, any traffic received on a switch port by a
    particular switch, would be run through that VACL as that traffic is
    coming 'into' that vlan on that switchport. Granted logically it is
    already in that VLAN, but that is the first time the switch has seen
    it. Therefore, you want a VACL to block all traffic not to/from the
    gateway in any vlans that are assigned to wireless clients. When this
    becomes tricky is when they are split into different networks and you
    still want to block access, which I would do with a regular ACL on the
    MSFC or router to block all traffic between the wireless networks
    completely.
     
    Trendkill, Oct 23, 2007
    #4
  5. Hi, Mr.Trendkill.

    Hmm, I recall it.

    The TCAM performs the entire VACL match and action, as packets are
    ***switched or bridged within a VLAN***, or ***routed into or out of a
    VLAN***.

    Thank you for reminding.

    So VACL can still work properly when clients do inter-subnet roaming.
     
    worldwidestar, Oct 23, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.