When BYOD-redirect is enabled on a VLAN, the BYOD feature intercepts HTTP traffic and blocks all other traffic for which free rules are not enabled. Most BYOD-redirect implementation is platform independent, except installing free rules to mitigate risks.
Communication between clients and the IMC server is tunneled by the edge switch:
-
The HTTP task always redirects, after embedding client IP addresses, a URL trying to access the redirected URL.
-
The redirect response includes URL parameters: user ip address andurl user is trying to access.
-
The client receives a redirect response from the switch and makes an HTTP request to redirect the URL.
BYOD updates server details using the BYOD VLAN map and TCAM rules from an SNMP communication, handling dynamic re-configuration events by BYOD task:
-
Internal data structure is updated, including the server URL, server IP, port and other parameters.
-
To enable BYOD-redirect on a VLAN:
The following TCAM rules are installed:
-
Steal and hardware drop for http traffic (80).
-
Drop (IP traffic) all rules to be installed.
-
Install hardware forward rule for http packets to the BYOD server.
-
Allow ARP packets any to any.
-
-
Configure free rules to allow traffic to DNS, DHCP and other traffic.
The following rules can help avoid conflicts when BYOD-redirect has been deployed on a switch with other features:
-
MAFR and BYOD-redirect are mutually exclusive – MAFR and BYOD-redirect solve similar problems.
-
DNS sentinel and BYOD-redirect – When a DNS sentinel is enabled, the switch tunnels packets to the controller. Packets are re-injected to the switch only if the controller classifies DNS packets as permitted. When BYOD-redirect is enabled, the user should configure an ACL rule to pass through DNS packets to the switch. If SDN controller policy classifies a DNS packet originating from a client as drop, then BYOD-redirect does not work.
-
IP sentinel and BYOD-redirect – When IP sentinel is enabled for the IP flows configured by the SDN controller, the switch tunnels the IP packets to the controller. The IP packets are re-injected to the switch only if the controller classifies the IP traffic as not malicious. If the SDN controller policy classifies the client’s IP traffic as malicious, then BYOD-redirect fails.
-
OpenFlow and BYOD-redirect – If an OpenFlow instance is enabled on a VLAN, then all traffic is given to the OpenFlow packet processing task. BYOD-redirect requires intercepting IP (HTTP) packets. If BYOD-redirect inter-operates with OpenFlow, traffic should be copied to both Openflow and BYOD-redirect; otherwise, the switch cannot enable BYOD-redirect and OpenFlow on the same VLAN.
-
Other TCAM rules – If any other user has configured TCAM rules that override TCAM entries installed for BYOD-redirect, BYOD-redirect does not work.
Because BYOD policy integrates several logical components including MSM, UAM, and RADIUS, the redirected URL in the BYOD-redirect feature on a switch must include the byod-server-url and user-ip information to work with the IMC server.
BYOD-redirect configuration command syntax for ProVision software matches Comware server command syntax.
BYOD-redirect has the following restrictions:
-
BYOD-redirect is a per-VLAN configuration; up to three VLANs can be enabled with BYOD-redirect.
-
BYOD-redirect supports up to three redirection servers configured on a switch. When a redirection server URL is configured, the BYOD module maintains separate data structures to store the re-directed URL on the VLAN where BYOD-redirect is enabled. BYOD-redirect statistics are maintained for each server.