CAPWAP AP forwards broadcast packets from LAN to the gateway.

Thomas Obbekaer Thomsen · ‎10-17-2014

Ok, the Title may be a little "off", but at a customer I see some strange behavior from APs.

When an IP misconfigured wired client on a vlan, where CAPWAP APs are also connected, broadcasts to the ff:ff:ff:ff:ff address, the AP seems to "proxy" or replicate this broadcast, and forward the same broadcast as a "unicast mac" packet to the gateway of the network.

This of course causes the gateway to route the packet until it hits the firewall, which of course drops the packet.

This gives a lot of log output on the firewall in this network.

Has anyone else seen this behavior from CAPWAP APs ? (or is it just me who has completely missed some fundamental function ? )

I have attached 4 images that shows this behavior from a sniffer from two different clients, and just the first packet from the client and the following "proxy" packet from the AP - all the packet you can see in the picture is APs replicating this packet. So the more APs in a VLAN the more replication.

In both cases the source IP from the broadcasting client is not the VLANs IP, it is a misconfigured client.

The APs / VLAN IP is 10.x.y.z/24 network.

The APs in this example are 1142 in localmode and the WLC (5508) is running 7.6.130

Any suggestions is appreciated

Rasika Nayanajith · ‎10-17-2014

How does the "show network summary" output looks like on your WLC ?

Does broadcast forwarding enabled by any chance ?

HTH

Rasika

*** Pls rate all useful responses ****

Thomas Obbekaer Thomsen · ‎10-17-2014

Nope no broadcast forwarding is enabled.

Here is the show output:

RF-Network Name.............................
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
IPv4 AP Multicast/Broadcast Mode............ Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Disable
Web Auth Secure Web ....................... Enable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
oeap-600 Split Tunneling (Printers)......... Disable
WebPortal Online Client .................... 0
mDNS snooping............................... Enabled
mDNS Query Interval......................... 15 minutes

Rasika Nayanajith · ‎10-17-2014

With those settings your laptop users broadcast traffic (irrespective of the vlan they are in) should not pass onto another wireless user or wired network. (assuming your laptop is connected via wireless)

Pls confirm the behaviour & reach TAC if that is what you seen.

HTH

Rasika

***** Pls rate all useful responses *****

Thomas Obbekaer Thomsen · ‎10-20-2014

I tested this on my lab 2504.

In version 7.6.130 the AP behaves like the above problem, in version 8.0.100 everything is normal and behaving as it should.

The funny thing is that the AP is only "proxying" broadcast traffic from IP misconfigured clients (like a 192.168.10.x client in a 10.10.10.x vlan), not correctly IP configured clients.

So I must be hitting something that have been fixed from 7.6.130 to 8.0.100.

Robert Braver · ‎12-24-2014

I ran into a similar issue with a customer, (compounded by their ASA forwarding directed broadcasts, which it shouldn't be doing). This caused a broadcast storm on the LAN, even with the WLC disconnected. The problem was the code version on the APs.

I recently ran across bug CSCun20584, which appears to be the problem.