Interoperability with other switch features
The following rules can help avoid conflicts when BYOD-redirect has been deployed on a switch with other features:
MAFR and BYOD-redirect are mutually exclusive – MAFR (MAC Authentication Failure Redirect) and BYOD-redirect solve similar problems.
DNS sentinel and BYOD-redirect – When a DNS sentinel is enabled, the switch tunnels packets to the controller. Packets are re-injected to the switch only if the controller classifies DNS packets as permitted. When BYOD-redirect is enabled, the user should configure an ACL rule to pass through DNS packets to the switch. If SDN controller policy classifies a DNS packet originating from a client as drop, then BYOD-redirect does not work.
IP sentinel and BYOD-redirect – When IP sentinel is enabled for the IP flows configured by the SDN controller, the switch tunnels the IP packets to the controller. The IP packets are reinjected to the switch only if the controller classifies the IP traffic as not malicious. If the SDN controller policy classifies the client’s IP traffic as malicious, then BYOD-redirect fails.
OpenFlow and BYOD-redirect – If an OpenFlow instance is enabled on a VLAN, then all traffic is given to the OpenFlow packet processing task. BYOD-redirect requires intercepting IP (HTTP) packets. If BYOD-redirect interoperates with OpenFlow, traffic should be copied to both OpenFlow and BYOD-redirect; otherwise, the switch cannot enable BYOD-redirect and OpenFlow on the same VLAN.
Other TCAM rules – If any other user has configured TCAM rules that override TCAM entries installed for BYOD-redirect, BYOD redirect does not work.