topic Too large IP subnets for wireless clients ? in Wireless

Too large IP subnets for wireless clients ?

Steven Shelton — Mon, 05 Jul 2021 14:00:27 GMT

Has anyone experienced broadcast issues with subnets larger than /22? Customer want to increase subnet size to /19, which seems like a problem waiting to happen.

Does Cisco have recommendations on sizing subnets for wireless?

Thank you for your response

I recall reading somewhere

Ric Beeching — Fri, 12 May 2017 01:08:03 GMT

I recall reading somewhere that no more than a /23 is recommended but I can't remember where! I have seen networks working fine with /21 and /20 but it depends on what types of traffic you are expecting (e.g. if high in Apple devices there will be lots of Bonjour traffic) and, if there's a local WLC, are you forwarding broadcasts? IPv6 and LLMNR are also common protocols that can use up switch resources and flood the VLANs.

Ric

Ric,

Steven Shelton — Fri, 12 May 2017 11:16:40 GMT

Ric,

The number of Apples device using wireless is about 50% of the total 7000 clients.

For the most part, the WLC is local to the APs, this is a campus environment with three remote sites. Two remotes are relatively small, less than 20 APs, the other remote site will reach around 100 APs once the new building is finished.

Currently, no IPv6 and probably no LLMNR since we have no older Windows desktops or servers.

I assume that broadcast traffic is forwarded from the wired vlan via the SSID to its wireless clients. I am not aware of any controls in place that would prevent it. Should we block or limit b'cast traffic? How would you do that?

Thank you for your reponse

For your remote offices are

Ric Beeching — Sat, 13 May 2017 03:41:59 GMT

For your remote offices are the APs in FlexConnect mode or do you tunnel all that back to your WLC? I'm assuming they do all tunnel back if you're using the same subnet for everything?

Broadcast traffic is not forwarded across the WLC by default (from wired to wireless and vice versa) so you should be ok there.

By default layer 2 multicast is also not forwarded unless multicast snooping is enabled. This will prevent apple devices from seeing each other using bonjour but also limit the mDNS traffic smashing your LAN.

The other issue with running many devices will multicast capabilities is these message are unicast between APs from the WLC and also then to each client. To mitigate this you can use ap multicast mode but there is still a risk the amount of traffic will result in a flood of unicasts on your wireless network.

Ric

what WLC model in use ? If it

Rasika Nayanajith — Sat, 13 May 2017 20:50:34 GMT

what WLC model in use ? If it is 5508, then keep 7K is the max client limit. So even you allocate /19 (8192 hosts), WLC cannot handle that many clients in its database (if it is 8540/5520 you should be ok).

With increase subnet size, you need to look at the ARP table size of L3 switch these wireless client terminate. It will mostly become bottleneck when it handles large MAC address table.

Regarding wireless side as Ric pointed, as long as you do not enable "broadcast forwarding" feature, you should be fine with /19 network.

HTH

Rasika

*** Pls rate all useful responses ***

here is partial output from

Steven Shelton — Sun, 14 May 2017 01:10:15 GMT

here is partial output from "show network summary", Ethernet broadcast forwarding is enabled.


Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
Secure Web Mode SSL Protocol................ Disable
OCSP........................................ Disabled
OCSP responder URL.......................... 
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Disable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Enable
Ethernet Broadcast Forwarding............... Enable
IPv4 AP Multicast/Broadcast Mode............ Multicast Address : 239.240.240.1
IPv6 AP Multicast/Broadcast Mode............ Multicast Address : ::
IGMP snooping............................... Enabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled

This is not looking good.

Rasika Nayanajith — Sun, 14 May 2017 23:21:00 GMT

This is not looking good.

do you see high channel utilization in this network ? If you forward all broadcast over the air, that should consume most of valuable air time, resulting degraded performance for clients.

In a large network, this is not an recommended setting. By default this is in "disabled" state.

HTH

Rasika

*** Pls rate all useful responses ***

As simple as this seems, I'm

Steven Shelton — Thu, 18 May 2017 13:06:35 GMT

As simple as this seems, I'm not sure I fully understand exactly what this function does. Are these statements correct?

If Ethernet Broadcast Forwarding is disabled then broadcast packets are only forwarded to a specific AP?

If Ethernet Broadcast Forwarding is enabled then all broadcast packets are forwarded to all APs?

The Ethernet broadcast traffic would be from the vlan which is mapped to the SSID in the AP group.

And since Ethernet Broadcast Forwarding is a global setting, the broadcast traffic would include all vlans/SSIDs in the all AP groups.

If Ethernet Broadcast

Ric Beeching — Thu, 18 May 2017 13:16:07 GMT

If Ethernet Broadcast Forwarding is enabled then the WLC will pass any broadcasts like network discoveries through which can result in significant performance impact. For example, if you have 7000(!) clients in one subnet and half of those are wireless half are wired. For every device that sends out some form of broadcast, e.g. a network discovery broadcast, that packet will be unicast to each of your Cisco APs to start with (unless you have AP Multicast enabled) and then after that it will be unicast to every single one of your wireless clients so that's 3500 wireless unicasts + the number of APs you have as overhead. Now what happens when two clients start broadcasting etc etc... you get my point.

If Ethernet Broadcast is disabled (common) then basically the WLC blocks those sorts of things traversing it which seems to have very little affect on most networks and is recommended.

Correct on the global front, it would affect everything if the APs are in local mode or central switching with FlexConnect.

Ric