You have 2200 1142 model AP's all running in H-REAP mode.
You have about 22000 wifi clients.
The WLC's are configured with a single management interface IP address
and the AP's are all in remote locations connected over a WAN.
You are finding that the WLC's are initiating packets with the source mac-address of each
client because the 6500 core switch that all your WLC's are connected to have a mac address
table of about 18000 mac entries. 16000 of those are client mac address.
This will be a major problem when you migrate to nexus switches that onlysupport 16000 macaddresses.
You need to find out why this is happening and need to stop the WLC's from making the
6500's learn 15000 mac address. You see no reason why the WLC needs to do this.
You are hitting his proble due to the following bugs causing H-REAP packet leak on the WLC Network:
Timing delay on HREAP locally switched WLAN's between WLC moving HREAP locally switched client into RUN state and the AP learning about the client status moving into RUN statecauses client packets to egress wlc. Hence the switch updates its mac address table with client entries from locally switched WLAN's.
Workaround: Create a dummy interface and tie the WLAN to that interface with a dummy VLAN that does not exist on the switch.
Setup an interace ACL on the management interface to block any traffic egressing the WLC. This is a deny allACL for bi-directional from any ip address. Once this is in place we should not see any
client packets egress the WLC after they have been placed into the RUN state by the WLC.
After the ACL in place any egress traffic for HREAP clients on your network should only be for clients stuck in the webauth_reqdstate.We will need a client from any of your remote networks connecting to your HREAP local switching SSID. Technically if we do not accept the webauth credentials for this client we should see the WLC place this client in the webauth_reqd state for 5 mins. This should give us enough time to analyze a packet leak for clients in this state.
hi, I have a 1562i access point that I want to use as a controller but in the same location I have installed another ME Controller with the same type of AP. Is it possible to deploy the same 2 ME Controller in one network?
Hi,My 3602 running 15.3.3JF12i will only broadcast on 802.11N over 2.4G only. The config I have is: dot11 ssid LM0701band-selectauthentication openauthentication key-management wpa version 2guest-modewpa-psk ascii 7 xxx-snip-interface Dot11Radi...
Hello All, I have more than 150+ AP in my corporate network and when I tried to add a new one, it gives me this error during the discovery. AP Model: AIR-AP2802E-Z-K9 AP Running Image : 18.104.22.168 [*07/26/2021 03:00:07.7717] CAPWAP...
I was designing a dot1x setup where the machine authentication gets a restricted vlan and the user+ machine authentication gets the full access vlan. So when a user opens up his laptop , it will first perform the machine authentication. Clearpass will pus...
I'm wondering if someone can explain the Flex NAT/PAT feature within the Embedded Wireless Controller? I'm familiar with the local switching which is done by default, but am struggling to find some information about how Flex NAT/PAT works.