Motorola RFS7000 Series System Reference Manual page 34

1-20 Overview
• Unicast From Mobile Unit – Frames are decrypted, converted from 802.11 to 802.3 and switched to
the wired side of the VLAN dynamically assigned to the mobile device. If the destination is another
mobile device on the wireless side, the frame is encrypted and switched over the air.
• Unicast To Mobile Unit – The frame is checked to ensure that in addition to the destination MAC
address matching that of the mobile device, the VLAN is same as that assigned to the mobile device.
It is then converted to an 802.11 frame, encrypted, and sent out over the air.
• Multicast/Broadcast From Mobile Unit – Treated as a unicast frame from the MU, with the exception
it is encrypted with the per-VLAN broadcast key and transmitted over the air.
• Multicast/Broadcast from Wired Side – If the frame comes from a VLAN mapped to the WLAN, it's
encrypted using a per-VLAN broadcast key and transmitted over the air. Only MUs on that VLAN have
a broadcast key that can decrypt this frame. Other MUs receive it, but discard it.
In general, when there are multiple VLANs mapped to the same WLAN, the broadcast buffer queue
size scales linearly to accommodate the increase in potential more broadcast packet stream.
Roaming within the Switch
When a MU is assigned to a VLAN, the switch registers the VLAN assignment in its credential cache. If the
MU roams it is assigned back to its previously assigned VLAN. The cache is flushed upon MU inactivity or if
the MU associates over a different WLAN on the same switch.
Roaming Across a Cluster
MUs roam amongst member switches within a cluster. The switch must ensure a VLAN remains unchanged as
MU roams. This is accomplished by passing MU VLAN information across the cluster using the interface used
by a hotspot. It passes the username/password across the credential caches of the switches. This ensures a
VLAN MU association is maintained even while the MU roams amongst cluster members.
Roaming Across a L3 Mobility Domain
When an MU roams amongst switches in different L3 mobility domains, L3 ensures traffic is tunneled back to
the correct VLAN on the home switch.
Interaction with Radius Assigned VLANs
Multiple VLANs per WLAN can co-exist with VLANs assigned by a Radius server. Upon association, the MU is
assigned to a VLAN from a pool of available VLANs. When the Radius server assigns the user another VLAN,
MU traffic is forwarded to that VLAN.
When 802.1x is used, traffic from the MU is dropped until authentication is completed. None of the MU data
MU is switched onto the temporarily VLAN. A Radius assigned VLAN overrides the statically assigned VLAN.
If the Radius assigned VLAN is among the VLANs assigned to a WLAN, it is available for VLAN assignment in
the future. If the Radius assigned VLAN is not one of the VLANs assigned to a WLAN, it is not available for
VLAN assignment in the future. To configure Multiple VLANs for a single WLAN, see
Assigning Multiple VLANs per WLAN on page 4-31.