Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

CAPWAP AP forwards broadcast packets from LAN to the gateway.

Ok, the Title may be a little "off", but at a customer I see some strange behavior from APs.

When an IP misconfigured wired client on a vlan, where CAPWAP APs are also connected, broadcasts to the ff:ff:ff:ff:ff address, the AP seems to "proxy" or replicate this broadcast, and forward the same broadcast as a "unicast mac" packet to the gateway of the network.

This of course causes the gateway to route the packet until it hits the firewall, which of course drops the packet.

This gives a lot of log output on the firewall in this network.

Has anyone else seen this behavior from CAPWAP APs ? (or is it just me who has completely missed some fundamental function ? :-) )

 

I have attached 4 images that shows this behavior from a sniffer from two different clients, and just the first packet from the client and the following "proxy" packet from the AP - all the packet you can see in the picture is APs replicating this packet. So the more APs in a VLAN the more replication.

In both cases the source IP from the broadcasting client is not the VLANs IP, it is a misconfigured client.

The APs / VLAN IP is 10.x.y.z/24 network.

The APs in this example are 1142 in localmode and the WLC (5508) is running 7.6.130

 

Any suggestions is appreciated :-)

 

5 REPLIES
VIP Purple

How does the "show network

How does the "show network summary" output looks like on your WLC ?

Does broadcast forwarding enabled  by any chance ?

HTH

Rasika

*** Pls rate all useful responses ****

Nope no broadcast forwarding

Nope no broadcast forwarding is enabled.

Here is the show output:

RF-Network Name............................. 
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
IPv4 AP Multicast/Broadcast Mode............ Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect  ................... Disable
Web Auth Captive-Bypass   .................. Disable
Web Auth Secure Web  ....................... Enable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
oeap-600 Split Tunneling (Printers)......... Disable
WebPortal Online Client .................... 0
mDNS snooping............................... Enabled
mDNS Query Interval......................... 15 minutes

VIP Purple

With those settings your

With those settings your laptop users broadcast traffic (irrespective of the vlan they are in) should not pass onto another wireless user or wired network. (assuming your laptop is connected via wireless)

Pls confirm the behaviour & reach TAC if that is what you seen.

HTH

Rasika

***** Pls rate all useful responses *****

 

I tested this on my lab 2504

I tested this on my lab 2504.

In version 7.6.130 the AP behaves like the above problem, in version 8.0.100 everything is normal and behaving as it should.

The funny thing is that the AP is only "proxying" broadcast traffic from IP misconfigured clients (like a 192.168.10.x client in a 10.10.10.x vlan), not correctly IP configured clients.

So I must be hitting something that have been fixed from 7.6.130 to 8.0.100.

New Member

I ran into a similar issue

I ran into a similar issue with a customer, (compounded by their ASA forwarding directed broadcasts, which it shouldn't be doing).  This caused a broadcast storm on the LAN, even with the WLC disconnected.  The problem was the code version on the APs.

I recently ran across bug CSCun20584, which appears to be the problem.

 

624
Views
0
Helpful
5
Replies
CreatePlease login to create content