8 Replies Latest reply on Jun 18, 2014 9:49 AM by briangonyer

    Put clients in native vlan at remote location

    briangonyer Visitor

      We have two remote campus locations connected to the main campus over a VPN tunnel and are wanting to use the same SSID as the main campus without all internet traffic having to come back to the main campus over the VPN tunnel but instead routing traffic destined for the internet to go out the local gateway at the remote sites, is this possible? The VPN gateway is already set to routing decisions based on what the user is trying to access, ie internal resources or internet.

        • Re: Put clients in native vlan at remote location
          daniel.blackmon Employee

          You could consider using Location Groups in vWLAN. In newer software (ie. vWLAN 2.2 or higher), these are found under Configuration > Role Based Access Control.


          Locations in vWLAN are essentially your VLANs. The Location will include a network address and bitmask (in slash notation) all neatly rolled into CIDR notation. For example, let's say you have a network address of with a mask of In CIDR notation, this is The Location might also include a VLAN tag, but you would need to ensure the tag is applied at every switch port where an AP is connected.


          The reason the tag needs to be consistent is because the APs use DHCP to discover a location. The AP will send out DHCP discover messages and look for DHCP Offers to return. The AP will tag the DHCP Discover messages appropriately before placing them on the LAN.


          I say all this to get back to answering your question. During role and location assignment, vWLAN looks at the active locations for an AP. So when a client associates to an AP, the vWLAN looks to see what location(s) the AP has active, and then places the client into that location.


          This is where Location Groups come into play. If you set the Role to use a location group, then vWLAN will choose active locations first. Each AP does not need to have every location in the group active. This solves your problem, and I want to use an example to make things more clear.


          Let's say one remote campus (RC1) uses and the other remote campus (RC2) uses You still have the VPN between the two campuses. You have a simple authentication mechanism such as WPA2-PSK with a default role. The same SSID will be applied to all APs across both campuses, and the a single role will be applied to all clients at both campuses. Now, you create two Locations in vWLAN, one for and another for Then, you create one Location Group containing both of the Locations. You assign the Location Group to the role.


          Since DHCP should not span the VPN connection, only the APs at RC1 will have as an active location, and only the APs at RC2 will have as an active location. Any client connecting to an AP at RC1 should now have the same role (and subsequent firewall policies applied), but they will have an IP address in However, a client at RC2 will get an IP address in


          Let me know if this helps or answers your question. If not, let me know what I need to clarify.


          You might also consider including the vWLAN and BSAP software versions so we can point you to the correct UI options.