I've got a question regarding large amount of ARP-packets when enabling "Interface Groups" (aka "VLAN Select") on a WLAN.
Currently we have an SSID with approximatly 12.000 similtanoius users during peak hours. These users are primarly students with lectures all over campus. So mobility and flexibility are key aspects. By this I mean that the amount of users in different areas of campus vary a lot and therefore the amount of users on a controller vary alot. And when we have one client VLAN/interface per controller, we did see that we didn't have enough IP-adresses on one client VLAN to handle all the clients when alot of users are moving between areas.
To be able to have enough IP-adresses available at any time at any controller, we have enabled "Interface Groups" on the WLAN/SSID. In this Interface Group we have all the client VLANs/interfaces from all the controllers. This also makes us able to move APs around on different controllers without thinking about having enough IP-adresses for this area on the controllers.
But, as I started with, the result is a large amount of ARP-packets to all clients on that SSID. We fear that this is causing trouble and that other traffic suffers from this. If we do sniffing of traffic to a client with all running applications closed (and therefore very low network traffic), we see 70.000 ARP-packets during one hour (97% of the traffic). These are mainly ARP-requests from clients requesting the MAC-address of their default gateway. I know that the actual amount of data transmitted is very low, but it is the number of packets that troubles me.
So my question is this:
Are "AP groups" the solution to my problem? If I create one AP group for each area of the campus using an Interface Group dedicated for this area and define this AP group and Interface Group on every controller. For instance an area called "Building A" has an "AP Group" and "Interface Group" with the same name. This Interface Group has 3 VLANs. And of course the APs in this area are configured with this AP Group. Then I guess only ARP traffic for these 3 VLANs will be sent out on these APs?
I know that the scenario and question is a bit fussy. But I really need an opinion on this. So if something is unclear, please ask.
Well, IMHO the solution is to know why this ARP flood happens and stop it. Changing your config to ap groups or whatever else could be a workaround if it stops the issue but we are not sure if it will.
We need to know the root cause to isolate better.
Is this happening with all clients? Or som all areas/APs or some?
Rating useful replies is more useful than saying "Thank you"
I think the root cause is very clear. I'll try to explain a bit more.
We've got twenty controllers and each of these had one single /23 subnet for clients (for this SSID). But this /23-subnet got too small when a lot of students moved to one area. Then "Interface Groups" came along and we tried adding one single /23 to the SSID. This worked very well but we did see that our utilization of IP-addresses was poor. This because we needed to have enough IP-addresses in every area to cope with the peaks of users on each controller (we are not doing NAT but using "real" IPv4-adresses). So we wanted to try to have all the client subnets defined on every controller and in one Interface Group on every controller. So that means that every ARP-request/broadcast from clients on the routers MAC-address on these twenty subnets reaches every controller and gets broadcasted out to every AP and client. That is the root cause of the huge amount of ARP.
I realize that this is no good design, but I honestly thought that this kind of ARP-traffic/broadcast was stopped at the controller when we have "Broadcast Forwarding" disabled. And this design gives us flexibility to move APs around on controllers without thinking of if we have enough IP-addresses on the controller we are moving APs to. As I mentioned, we are not doing NAT so utilization of IP-addresses is important. And please don't start a discussion on why we are not doing NAT. We've had that discussion internally ;-)
So I'm trying to figure out if I can have this flexibility by using "AP Groups". I'm still doing the design on the drawing board and struggle a bit to explain. So I'll simplify my question: If a controller has four VLANs/Interfaces for clients (VLAN 10, 20, 30 and 40) and an "Interface Group" with only two of these VLANs (VLAN 10 and 20). And I set up an "AP Group" using this "Interface Group". Will I see broadcast/ARP only for the two VLANs in the "Interface Group" (VLAN 10 and 20) or is it a possibility that I will see broadcast for the other two VLANs as well (VLAN 30 and 40)? I really hope and think that I'll only see broadcast for the VLANs in the "Interface Group" but I need to be sure.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...