Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sleep mode causes 0.0.0.0 dot11 association

Hello,

I'm using aironet 1210, 1130, 1100, 1040 autonomous mode, in a University campus network with thousands of daily user.

We're using RADIUS authentication and AES/WPA2.

In the past, there were some major issues with traffic (broadcast / multicast) in the wireless networks, that would spread all around the campus causing excessive processing at the access-points.

To solve the problem we decided to implement access list at the radio interface to drop all the unwanted traffic.

ip access-list extended radio_interface_IN

permit udp any eq bootpc any eq bootps  ---------------------------> permit DHCP requests ONLY

deny   ip any host 255.255.255.255 -----------------------------------> deny broadcasts

deny   ip any host 192.168.47.255 -------------------------------------> deny network broadcast

deny   ip 192.168.47.252 0.0.0.3 any ---------------------------------> deny gateway IP (source) IN radio

permit ip 192.168.47.0 0.0.0.255 192.168.47.252 0.0.0.3 -----> permit gateway IP (destination)

deny   ip 192.168.47.0 0.0.0.255 192.168.47.0 0.0.0.255 -----> deny trafic between hosts in the same network

permit ip 192.168.47.0 0.0.0.255 any ---------------------------------> permit trafic with other networks

deny   ip any any

This ACL worked out perfect until recently. We're having issues when client machines (windows and apple laptops) go in to "sleep mode"...

When they "wake up", they keep the IP address they had before (thus bypassing the DHCP requests), but on the access-point association "show dot11 associations" the access point shows 0.0.0.0...and never fully associates.

MAC Address    IP address      Device        Name            Parent         State    

0021.6a71.08f2 192.168.44.86   unknown       -               self           EAP-Assoc

a87e.339b.35fa 0.0.0.0         ccx-client    -               self           EAP-Assoc

I'm pretty sure this is caused by the ACL (I've tested removing the ACL and the issue never occurred) but I can't just get ride of it.

Any ideas on what might be happening here??

Any ideas on an alternative way to drop broadcasts??

thanks in advance

7 REPLIES
Hall of Fame Super Gold

sleep mode causes 0.0.0.0 dot11 association

deny   ip any host 255.255.255.255 -----------------------------------> deny broadcasts

deny   ip any host 192.168.47.255 -------------------------------------> deny network broadcast

I have never seen an ACL built like this before.

New Member

sleep mode causes 0.0.0.0 dot11 association

I know it looks weird but it accualy saved my wireless network...

Imagine 500 standalone access-points with 3000 simultanious associations (laptops, cell phones, tablets...) broadcasting everywhere...crazy right!!?!?!

Most access-points were running with CPU at 90% or more and no one had a good wireless connection.

We decided to segment the wireless network (devided in 4 zones now) and "simulate" Private Vlans, allowing communications with the gateway only...

sleep mode causes 0.0.0.0 dot11 association

Would enabling ARP caching on the ap help in your situation ? I did a quick blog post on this a little bit a go..

http://www.my80211.com/cisco-auton-cli-commands/

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

sleep mode causes 0.0.0.0 dot11 association

good point!!

"Arp-cache enable" was actualy one of the features we activated recently (saved us a bunch of CPU%) but I never considered the "Arp-cache optional"...

It's deffenetly worth a shot.

I'll let you know how it goes!

thanks

sleep mode causes 0.0.0.0 dot11 association

How did it go ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

sleep mode causes 0.0.0.0 dot11 association

not perfect but helpful for troubleshooting.

I tryied removing arp-cache and it looked like the problem was gone... wireless clients go in to sleep mode and wake up with network access!

Problem solved right?? wrong!!

Although the clients get IP address, their association/authorization?? at the access point fails at some point.

The "show dot11 association" still shows "28cf.dae0.3574 0.0.0.0  unknown - self  EAP-Assoc" but since ARPs are sent to those clients anyway, network access is ok.

It apears that when clients "wake up", they get IP from DHCP (as expected)!

What is failing is the association/authorization?? at the access-point.

I'm happy for the "turn around" but this is not the desired solution.

Arp-cache has proven to be a good feature for our topology and I woul like to keep it ON.

We use 802.1x, WPA2 Enterprise.

We recently moved from WPA/TKIP to WPA/AES.

Do you think there could be an issue there??

I don't know much about these but, could "dot11 wpa handshake init-delay" or "dot11 wpa handshake timeout" help??

New Member

sleep mode causes 0.0.0.0 dot11 association

I don't think I was very clear so I decided to create a new thread about this subject.

https://supportforums.cisco.com/thread/2150978

thanks

1217
Views
3
Helpful
7
Replies
CreatePlease login to create content