CAPWAP AP forwards broadcast packets from LAN to the gateway.
Ok, the Title may be a little "off", but at a customer I see some strange behavior from APs.
When an IP misconfigured wired client on a vlan, where CAPWAP APs are also connected, broadcasts to the ff:ff:ff:ff:ff address, the AP seems to "proxy" or replicate this broadcast, and forward the same broadcast as a "unicast mac" packet to the gateway of the network.
This of course causes the gateway to route the packet until it hits the firewall, which of course drops the packet.
This gives a lot of log output on the firewall in this network.
Has anyone else seen this behavior from CAPWAP APs ? (or is it just me who has completely missed some fundamental function ? :-) )
I have attached 4 images that shows this behavior from a sniffer from two different clients, and just the first packet from the client and the following "proxy" packet from the AP - all the packet you can see in the picture is APs replicating this packet. So the more APs in a VLAN the more replication.
In both cases the source IP from the broadcasting client is not the VLANs IP, it is a misconfigured client.
The APs / VLAN IP is 10.x.y.z/24 network.
The APs in this example are 1142 in localmode and the WLC (5508) is running 7.6.130
With those settings your laptop users broadcast traffic (irrespective of the vlan they are in) should not pass onto another wireless user or wired network. (assuming your laptop is connected via wireless)
Pls confirm the behaviour & reach TAC if that is what you seen.
I ran into a similar issue with a customer, (compounded by their ASA forwarding directed broadcasts, which it shouldn't be doing). This caused a broadcast storm on the LAN, even with the WLC disconnected. The problem was the code version on the APs.
I recently ran across bug CSCun20584, which appears to be the problem.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...