Layer-3 hotspot mode

In most simple on-premise deployments, HSG controls hotspot access in layer-2 mode - HSG tracks per client session based on a combination of client device MAC and IP addresses. In layer-2 mode, the clients sit in the same network as the HSG hotspot instance LAN/VLAN interface, and HSG has visibility on both client MAC and IP.

But in some more complex deployments, where the clients could come from a different internal network, eg.

  1. Remote intranet sites via MPLS/VPN, or

  2. From behind a layer 3 core switch.

Senario #1 is particularly true for services provides managing many customers using a central HSG (each customer maps to a dedicated hotspot instance within HSG), and each customer network is connected via a VPN tunnel back to central HSG.

In above scenarios, clients traffic routes across a layer 3 network before reaching to HSG, and HSG can only "see" client IP address in each request (the client MAC will be rewritten to downstream router MAC when routed across the router), so HSG can only control client access in layer 3 mode by tracking client IP address, because client MAC is no longer visible to HSG.

Below topology elaborates scenario #2. and it's similar for #1 (instead of a layer 3 router, it could be a intranet WAN/MPLS/VPN network).

Important notes for running in layer-3 mode:

  1. All the hotspot instances must be running on VLAN, eg. the user data link between HSG LAN interface and downstream router has to be a VLAN (so that HSG sees tagged traffic). You can have different hotspot instances (different VLANs) for different customers or departments, for different access controls and portals etc. In above example, vlan10 is the data link between HSG and core router, and hotspot is enable on vlan10 interface within HSG, so that the user traffic coming from vlan20 is routed by core router and tagged with vlan10 when reaching HSG.

  2. Client DHCP pool is assigned by downstream router or external DHCP server (eg. for vlan20) with addresses in different subnets as HSG hotspot instance VLAN interface subnet (eg. for vlan10).

  3. Each hotspot instance can cover one or multiple user VLANs (depends on how the downstream router configures). NOTE: for each hotspot instance configuration, you need to define "client-network x.x.x.x y.y.y.0", and if this instance covers multiple client networks/VLANs, you must make sure this configured network supersede all clients subnets. For example, you may have 3 client VLANs,,,, then your "client-network" should be configured as ("client-network")

  4. Configure "client-static" to be the same range of "client-network", so that it accepts client IPs issued by external DHCP server.

  5. Configure hotspot-server IP and make sure it's within the "client-network" range, eg. "hotspot-server port 5000 5001", and this IP is excluded from external DHCP server pool.

  6. Do NOT perform NAT on the downstream router for the client subnets, so that HSG can "see" the original client source IP addresses

  7. On HSG, add route for client subnets pointing back to downstream router (else you can run OSPF between HSG and downstream router as well), so that HSG can route return traffic back to clients.

Sample config on HSG


HSG# show running-config !hostname HSG!interface eth0 description "Connection to WAN" enable ip address dhcp!interface eth1 description "Connection to LAN" enable!interface eth2 description OOB-Mgmt enable ip address dhcp-server dns range!interface eth3!interface vlan 1 10 description "transit hotspot VLAN" enable ip address!interface loopback enable ip address!ip dhcp-server start!ip name-server host rewriteip host mail host mysqldb host rewrite!ip ntp-server!!make sure you have route for client networksip route nexthop!macc start!firewall-dnat 10 redirect all udp dport 53 rdport 53 src remark "rewrite DNS from LAN only"firewall-dnat 12 redirect all udp dport 53 rdport 53 src remark "rewrite DNS from LAN only"!firewall-input 10 permit all tcp dport 80 src remark "portal access"firewall-input 11 permit all tcp dport 80 src remark "portal access"firewall-input 21 permit all udp dport 53 src remark "allow DNS from LAN only"firewall-input 22 permit all udp dport 53 src remark "allow DNS from LAN only"firewall-input 31 permit all tcp dport 22 src remark "allow SSH from LAN only"firewall-input 32 permit all tcp dport 22 src remark "allow SSH from LAN only"!firewall-access 10 permit outbound eth0!firewall-snat 10 overload outbound eth0!security radius-server client key testing123 name LOCAL start!security hotspot vlan10!enable layer3 mode (default layer2) hotspot-mode layer3 hotspot-wan eth0 hotspot-server ports 5000 5001!network range must supersede all client subnets if there're multiple client VLANs client-network client-static bypass-domain list dn dn dn dn dn hotspot-portal startHSG# HSG# show security hotspot clients Client-MAC Client-IP Username %/MaxUp %/MaxDown Idle/Max Duration/Max------[vlan10 ]--------------------------------------------------------------------------------------------------..NA.. 0%/0 0%/0 0/0 35/0 HSG# show security hotspot clientsClient-MAC Client-IP Username %/MaxUp %/MaxDown Idle/Max Duration/Max------[vlan10 ]--------------------------------------------------------------------------------------------------..NA.. demouser 0%/0 0%/0 1/0 6/0 ..NA.. 0%/0 0%/0 0/0 65/0

NOTE: layer3 mode has no visibility on client MAC address.

  1. you can't see client MAC in above output.

  2. in RADIUS access records, the MAC shown is actually the downstream router MAC (it will appear same for all users).


Sample config on router (can be any other 3rd-party router)


!hostname core-router!interface eth0 enable!interface eth1 description "DHCP for AP management" enable ip address dhcp-server range!interface vlan 0 10 description "transit hotspot VLAN" enable ip address!interface vlan 1 20 description "user VLAN" enable ip address dhcp-server range!ip dhcp-server start!ip default-gateway!