Brocade Communications Systems RFS6000 System Reference Manual page 28

1
Multiple VLANs per WLAN
The switch permits the mapping of a WLAN to more than one VLAN. When a client associates with a
WLAN, the client is assigned a VLAN by means of load balance distribution. The VLAN is picked
from a pool assigned to the WLAN. The switch tracks the number of Clients per VLAN, and assigns
the least used/loaded VLAN to the client. This number is tracked on a per-WLAN basis.
A broadcast key, unique to the VLAN, encrypts packets coming from the VLAN. If two or more Clients
are on two different VLANs, they both hear the broadcast packet, but only one can decrypt it. The
switch provides each client a unique VLAN broadcast key as part of the WPA2 handshake or group
key update message of a WPA handshake.
Limiting Users Per VLAN
Not all VLANs within a single WLAN must have the same DHCP pool size. Assign a user limit to each
VLAN to allow the mapping of different pool sizes.
Specify the VLAN user limit. This specifies the maximum number of Clients associated with a VLAN
(for a particular WLAN). When the maximum client limit is reached, no more Clients can be
assigned to that VLAN.
Packet Flows
There are four packet flows supported when the switch is configured to operate with multiple VLAN
per WLAN:
•
•
•
•
Roaming within the Switch
When a client is assigned to a VLAN, the switch registers the VLAN assignment in its credential
cache. If the client roams, it is assigned back to its earlier assigned VLAN. The cache is flushed
upon detected client inactivity or if the client associates over a different WLAN (on the same
switch).
16
Unicast From Mobile Unit – Frames are decrypted, converted from 802.11 to 802.3 and
switched to the wired side of the VLAN dynamically assigned to the mobile device. If the
destination is another mobile device on the wireless side, the frame is encrypted and switched
over the air.
Unicast To Mobile Unit – The frame is checked to ensure the VLAN is same as that assigned to
the mobile device. It is then converted to an 802.11 frame, encrypted, and sent over the air.
Multicast/Broadcast From Mobile Unit – The frame is treated as a unicast frame from the
client, with the exception that it is encrypted with the per-VLAN broadcast key and then
transmitted over the air.
Multicast/Broadcast from Wired Side – If the frame comes from a VLAN mapped to the WLAN,
it's encrypted using a per-VLAN broadcast key and transmitted over the air. Only Clients on that
VLAN have a broadcast key that can decrypt this frame. Other Clients receive it, but discard it.
In general, when there are multiple VLANs mapped to the same WLAN, the broadcast buffer
queue size scales linearly to accommodate a potential increase in the broadcast packet
stream.
Brocade Mobility RFS4000, RFS6000, and RFS7000 System Reference Guide
53-1002515-01