When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associated with the same VLAN throughout the user’s session on the network, even when roaming from one WX switch to another within the Mobility Domain.

You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local WX user database:

• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support.
• VLAN-Name—This attribute is a 3Com vendor-specific attribute (VSA).

You cannot configure the Tunnel-Private-Group-ID attribute in the local user database. Specify the VLAN name, not the number. If both attributes are used, the WX uses the VLAN name in the VLAN-Name attribute.

The WX switch through which a user is authenticated must be a member of the Mobility Domain the user is assigned to. However, you are not required to configure the VLAN on all WX switches in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a member of the VLAN.

WX switches configured to comprise a Mobility Domain allow users to roam seamlessly across MAP access points and across WX switches. Although a WX that is not a member of a user’s VLAN cannot directly forward traffic for the user, the WX can tunnel the traffic through another WX that is a member of the user’s VLAN.

If a WX that is not in the user’s VLAN has a choice of more than one other WX through which to tunnel the user’s traffic, the WX selects the path based on the tunnel affinity value. This is a numeric value that each WX within the Mobility Domain advertises for each of its local VLANs to all other WX switches in the Mobility Domain. The WX the user is roaming from selects the WX with the highest affinity value for the user’s VLAN as the path for the user’s data. If two or more WX switches have the same tunnel affinity value, the WX the user is roaming from randomly selects a WX.

Mobility Profile™ attributes allow or deny access to the network for a specific user or group of users. When you create a Mobility Profile, you specify which MAP ports, Distributed MAPs, or wired authentication ports are to be included. Typically, you include ports that are defined as MAP ports or Distributed MAPs. You can specify that all or no ports are included, or you can specify a list of ports to be included.

After creating a Mobility Profile, you can assign it to users created in the local WX user database, or users who are authenticated and authorized by a RADIUS server. You assign the name of the Mobility Profile by using the Mobility-Profile RADIUS attribute, which is a 3Com vendor-specific attribute (VSA).

MSS Version 4.1 and higher allows functionality found in Mobility Domains to be extended over a multiple-site installation, in a Network Domain. A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured in one Mobility Domain to establish connectivity on a WX switch in a remote Mobility Domain. The WX switch forwards the user traffic by creating a VLAN tunnel to a WX switch in the remote Mobility Domain.

In a Network Domain, one or more WX switches acts as a seed device. A Network Domain seed stores information about all of the VLANs on the Network Domain members. The Network Domain seeds share this information among themselves, so that every seed has an identical database.

— David Gonzalez 2021/03/31 15:55