topic Re: How WLC calculate dirty interface in Wireless

How WLC calculate dirty interface

Safwan Hashan — Mon, 05 Jul 2021 17:41:19 GMT

Hi,

I have some issue with the interface group setup.

Scenario :

Cisco WLC 5520 running 8.5.140 code.

15 interface in 1 interface group.

Open authentication SSID

Authentication in Firewall. Allowed 7 days for each client.

So, my question is, how do the WLC determine my VLAN is dirty and is there any ways to override this configuration so that my WLC will follow the firewall configuration which is 7 days for each client. Some of my client get the authentication page before 7days.

Thanks in advanced.

Re: How WLC calculate dirty interface

Sandeep Choudhary — Wed, 10 Jul 2019 09:00:21 GMT

are you using webauth on SSID ?

If yes then adjust the timeout on WLC including sleeping client feature.

Regards

Dont forget to rate helpful posts

Re: How WLC calculate dirty interface

Safwan Hashan — Wed, 10 Jul 2019 09:46:29 GMT

No, im not using webauth. Im using open authentication,

Re: How WLC calculate dirty interface

Arne Bier — Fri, 12 Jul 2019 07:30:43 GMT

When you say "VLAN is dirty", do you mean DHCP exhaustion? If so, then the answer is that the WLC listens for DHCP Replies and if none is received, then the WLC calculates a new hash value to select a different interface. Then same algorithm runs again.

Re: How WLC calculate dirty interface

Safwan Hashan — Fri, 12 Jul 2019 07:37:33 GMT

Hi,

The client shouldn't be authenticate before 7 days because the mac address of the client is stored in firewall.

The only reason client get re-authenticate before 7 days is because the client is changing its IP address.

So, when the client get re-authenticate before 7 days, i check the WLC and it shows as below output.

(Cisco Controller) >show interface group detailed <int group>

Interface Group Name............................. <int group>
Quarantine ...................................... No
Number of Wlans using the Interface Group........ 2
Number of AP Groups using the Interface Group.... 122
Number of Interfaces Contained................... 16
mDNS Profile Name................................ Unconfigured
Failure-Detect Mode.............................. Aggressive
Interface Group Description......................
Interfaces Contained in this group ..............
pool 701
pool 702
pool 703
pool 704
pool 705
pool 706
pool 707
pool 708
pool 709
pool 710
pool 711
pool 712
pool 713
pool 714 *
pool 715
pool 716
Interface marked with * indicates DHCP dirty interface
Interface list sorted based on vlan:

Index Vlan Interface Name Dirty Failures DirtyTime(s)
----- ---- -------------------------------- ----- ------------- ---------
0 701 pool 701 No 0 0
1 702 pool 702 No 0 0
2 703 pool 703 No 0 0
3 704 pool 704 No 0 0
4 705 pool 705 No 0 0
5 706 pool 706 No 0 0
6 707 pool 707 No 0 0
7 708 pool 708 No 0 0
8 709 pool 709 No 0 0
9 710 pool 710 No 0 0
10 711 pool 711 No 0 0
11 712 pool 712 No 0 0
12 713 pool 713 No 0 0
13 714 pool 714 Yes 7 863
14 715 pool 715 No 0 0
15 716 pool 716 No 0 0

Is there any ways to turn this dirty interface off?

Thanks in advanced.

Re: How WLC calculate dirty interface

Flavio Miranda — Thu, 18 Jul 2019 15:50:11 GMT

I think you´re misinterpreting concepts here. Dirty interface, as mentioned above, is an flap indicating that something is not good on the DHCP service. This can become Dirty because you DHCP scope is full, or the DHCP request send on that interface it not reaching the DHCP server. After some failing attempt in a specific interface, WLC mark that interface as Dirty and stop asking DHCP on that interface for a while. You can see a counter on the interface Dirty.

Re-Authentication and DHCP renew are different things. You can have a lease time let´s say of 5 minutes and a Session time out of 60 minutes. Which means, IP address will be renewed many times until the re-authentication take place.

You can configure Session timeout as 0 "zero" and then disable Session timeout.

Valid ranges to Session timeout are:

Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.

If in your case you care using Open Authentication, you can use up to 65535 seconds which means 18 hours.

-If I helped you somehow, please, rate it as useful.-

Re: How WLC calculate dirty interface

Safwan Hashan — Wed, 31 Jul 2019 03:02:41 GMT

Hi,

Thanks. We disable the session timeout but the issue is still there.

So, i'm changing the configuration for interface group to non-aggressive and we dont have any interface dirty anymore.