Jethro R Binks wrote:
> On Tue, 13 Apr 2010, David Pick wrote:
>
>> But there's another "trick" they pull on the wired side: they expect the
>> controller to have an IP address on each VLAN to which clients can be
>> assigned, and they "fiddle" with ARP responses so that the clients are
>> told that the MAC address associated with the default gateway is the
>> controller rather than the real default gateway, and then they re-write
>> packets to get them to the actual default gateway for the subnet. This
>> doesn't live nicely on our network, and may not on yours; watch out for
>> it.
>
> Can you elaborate on what aspect of your network it is that means this
> trick doesn't work so well for you?
On a network where the DHCP server is configured to offer all addresses
within a subnet (except for itself/default gateway) some reconfiguration
is needed to make a space for the Meru controller (the controller cannot
request an address via DHCP). On some networks this isn't a problem -
however it is for our network.
We have a VLAN with a /21 allocation (public IP space). The IP address
allocated by the DHCP server is in the format 10.x.y.1 where x.y
correspond to the last 2 parts of the public IP address and we
one-to-one NAT between the two.
Each 10.x.y.1 is part of a /30 subnet where the only other address is an
alias on the router. Yes, our router has LOTS of alias addresses. We do
this so we can apply firewall rules to all inter-client traffic.
We have a script which builds the DHCP config and creates the alias
addresses etc.
To give the Meru controller an address on this VLAN, we would need to
modify our script (not trivial) and the Meru controller would deliver
inter-client traffic directly without going through our router (so we
would also need to re-create all the firewall rules within the Meru
controller as well).
There are some other potential problems if we decided to load balance
and not have all default routes going via the same physical router as
the Meru controller would send all off-net traffic to it's default route
rather than the client's default route.
-Jeff
|