Wireless LANs, Roaming, Subnets, and Ethernet Bridges

The computer network in the House is divided into multiple distinct VLANs (and hence also multiple distinct Subnets) in order to segregate the traffic for different types of network devices. The basic plan was to establish the same set of VLANs in the Outbuildings but to have those on separate Subnets (from in the House), with Routed (Layer 3) network connections across a ‘Backbone’ network link between the buildings.

For example:

  • VLAN 64 using Subnet 172.16.64.0/22 in the House
  • VLAN 64 using Subnet 172.20.64.0/22 in the Outbuildings

Both these Subnets know how to Route to ‘the other side’ (172.20.0.0/16 or 172.16.0.0/16 respectively) by the presence of a Static Route on their default Gateway.

In most cases this works fine. However, there are a few services which insist on being on the same Layer 2 Subnet in both buildings:

  • The Paxton Net2 Access Control and Entry system
  • Wireless LAN networks which support ‘roaming’ between different Access Point radios

The Wireless LAN ‘roaming’ requirement is that in the presence of multiple Access Points (i.e. BSSIDs) broadcasting the same SSID, a WiFi Client gets to choose which radio to connect to – and will ‘roam’ from one radio to another (and another…) as the client physically moves around a building or site, in order to maintain good signal strength. For seamless roaming to work, all of the radios offering the same SSID need to do so on the same Subnet – because a client needs to maintain its IP address as it moves around, so as not to break any open network connections which rely on that IP address. As a result, the client typically won’t even issue a new DHCP request after it ‘roams’ since it expects to still be on the same Subnet.

In large campus WiFi deployments it is customary to have the Wireless Access Points create ‘tunnels’ back to a site Wireless LAN Controller which can then handle everything in one place.

For smaller deployments, an alternative is to use Ethernet Bridge devices on VLAN interfaces to extend the same Subnet to additional building(s) – as shown in the ArchiMate diagram below:

  • fw1 and fw2 are the Router/Firewall nodes; one per building
  • The physical Ethernet port igb1 on each Router/Firewall is cabled to a VLAN-aware network switch; one per building
    • This cable carries VLAN-tagged Ethernet frames for each of the configured VLANs (1,2 & 3)
    • Each switch then presents untagged Ethernet frames on various switch ports, as required by the connected client devices
  • The physical Ethernet port igb2 on fw1 is cabled to physical Ethernet port igb0 on fw2
    • This cable carries untagged Ethernet frames for the ‘Backbone network’ 172.28.0.0/24 which is used to Route the majority of the network traffic between the buildings (for VLANs 1 & 2 – as shown by the Blue arrow, for VLAN 1)
    • This cable also carries VLAN-tagged Ethernet frames for VLAN 3 between the VLAN network interfaces fw1:igb2.3 and fw2:igb0.3 – as shown by the Magenta arrow
ArchiMate diagram showing use of Ethernet Bridge devices (br0) and VLAN interfaces (igb?.3) to ‘stretch’ one Subnet (172.16.3.0) between two Routers while the other Subnets are Routed via 172.28.0.0

The same configuration can be extended to support the Bridging of additional VLANs, or to additional Buildings – subject to the scalability limits of a single Subnet.

CC BY-SA 4.0 Wireless LANs, Roaming, Subnets, and Ethernet Bridges by Marsh Flatts Farm Self Build Diary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.