Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CAPWAP Traffic

There is a huge amount of CAPWAP traffic from access point to the ap manager IP address of WiSM1 . Around 215 gig. Is it normal or something strange

Sent from Cisco Technical Support iPhone App

12 REPLIES
VIP Purple

CAPWAP Traffic

Is it 215 Gbps ? All CAPWAP traffic from AP to WLC include user traffic as well. So this could be your users' genuine  traffic as well. How many APs managed by this WiSM ? what is the general traffic load in a average day ?

If you have tool (like netflow,ect) to see what traffic goes to controller  then you can determine who is the top talkers & then you can assess whether it is genuine or  not

Since it is WiSM no easy way of taking a packet capture beteeen 6500 & WiSM it self

HTH

Rasika

New Member

Re: CAPWAP Traffic

Thank you for the useful information

Is there any way to identify which client has utilized the traffic. On a daily average it will be 6 gig traffic. But in one day it raised to 215gigabytes . Now my worry is it a client traffic , ap malfunction or some threat

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

CAPWAP Traffic

Like Rasika mentioned, you would need netflow, other thatn that, you will not be able to know what client.  One best practice also to eliminate traffic from AP's is to define your syslog for the AP's or else its a broadcast.  If you don't have a syslog, then put a bogus ip address:

config ap syslog host global

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

CAPWAP Traffic


Hello Team;

    We are having a palo alto for monitoring the traffic. In palo alto it is reported that from the sourtce ip address of the AP to the destination AP Manager ip address of the WiSM  there was 215 Gigabytes of CAPWAP traffic.

It cannot be normal as the amount of traffic is huge. So we are suspecting some misbehaviour. If we enable netflow or syslog on the AP what are the information we can capture.

Also please share your thoughts about the issue ?

It happened on last week and is there any way to findout is it was an actial capwap traffic or some client traffic.

Hall of Fame Super Silver

CAPWAP Traffic

Well, you have a source ip, what is the source ip... an access point?  If so, make sure that the ap isn't bouncing.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

CAPWAP Traffic

The source is an AP and the destination is the AP Manager IP address of WiSM1 Controller-1.

Its reported only for one day and the association time of the AP is fine with the controller as well.

VIP Purple

Re: CAPWAP Traffic

If you know the AP, then take a wireshark packet capture of that AP connected switch port while you are having high volume of traffic. That will tell you what that traffic is

HTH

Rasika

New Member

CAPWAP Traffic

It was a one time traffic and now its normal

VIP Purple

Re: CAPWAP Traffic

Then you should have a tool to go back & check (like netflow collector). Otherwise you have to keep a close look and if that occur again, take a capture at that time

HTH

Rasika

New Member

CAPWAP Traffic

Also, check your palo alto device. Sometimes really weird things happens with PA...

New Member

CAPWAP Traffic

CAPWAP Traffic

You can use Netflow tool  to analyze traffic and know whether it is normal or not.

1048
Views
0
Helpful
12
Replies