09-09-2013 01:31 AM - edited 07-04-2021 12:47 AM
There is a huge amount of CAPWAP traffic from access point to the ap manager IP address of WiSM1 . Around 215 gig. Is it normal or something strange
Sent from Cisco Technical Support iPhone App
09-09-2013 03:01 AM
Is it 215 Gbps ? All CAPWAP traffic from AP to WLC include user traffic as well. So this could be your users' genuine traffic as well. How many APs managed by this WiSM ? what is the general traffic load in a average day ?
If you have tool (like netflow,ect) to see what traffic goes to controller then you can determine who is the top talkers & then you can assess whether it is genuine or not
Since it is WiSM no easy way of taking a packet capture beteeen 6500 & WiSM it self
HTH
Rasika
09-09-2013 04:43 AM
Thank you for the useful information
Is there any way to identify which client has utilized the traffic. On a daily average it will be 6 gig traffic. But in one day it raised to 215gigabytes . Now my worry is it a client traffic , ap malfunction or some threat
Sent from Cisco Technical Support iPhone App
09-09-2013 05:53 AM
Like Rasika mentioned, you would need netflow, other thatn that, you will not be able to know what client. One best practice also to eliminate traffic from AP's is to define your syslog for the AP's or else its a broadcast. If you don't have a syslog, then put a bogus ip address:
config ap syslog host global
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-09-2013 10:57 AM
Hello Team;
We are having a palo alto for monitoring the traffic. In palo alto it is reported that from the sourtce ip address of the AP to the destination AP Manager ip address of the WiSM there was 215 Gigabytes of CAPWAP traffic.
It cannot be normal as the amount of traffic is huge. So we are suspecting some misbehaviour. If we enable netflow or syslog on the AP what are the information we can capture.
Also please share your thoughts about the issue ?
It happened on last week and is there any way to findout is it was an actial capwap traffic or some client traffic.
09-09-2013 12:01 PM
Well, you have a source ip, what is the source ip... an access point? If so, make sure that the ap isn't bouncing.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-09-2013 12:10 PM
The source is an AP and the destination is the AP Manager IP address of WiSM1 Controller-1.
Its reported only for one day and the association time of the AP is fine with the controller as well.
09-09-2013 12:12 PM
If you know the AP, then take a wireshark packet capture of that AP connected switch port while you are having high volume of traffic. That will tell you what that traffic is
HTH
Rasika
09-09-2013 12:14 PM
It was a one time traffic and now its normal
09-09-2013 12:16 PM
Then you should have a tool to go back & check (like netflow collector). Otherwise you have to keep a close look and if that occur again, take a capture at that time
HTH
Rasika
09-10-2013 08:04 AM
Also, check your palo alto device. Sometimes really weird things happens with PA...
09-10-2013 11:13 AM
Hi,
The following link might help regarding the NetFlow information,
09-10-2013 01:03 PM
You can use Netflow tool to analyze traffic and know whether it is normal or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide