cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3049
Views
0
Helpful
12
Replies

CAPWAP Traffic

sreejith_r
Level 1
Level 1

There is a huge amount of CAPWAP traffic from access point to the ap manager IP address of WiSM1 . Around 215 gig. Is it normal or something strange

Sent from Cisco Technical Support iPhone App

12 Replies 12

Is it 215 Gbps ? All CAPWAP traffic from AP to WLC include user traffic as well. So this could be your users' genuine  traffic as well. How many APs managed by this WiSM ? what is the general traffic load in a average day ?

If you have tool (like netflow,ect) to see what traffic goes to controller  then you can determine who is the top talkers & then you can assess whether it is genuine or  not

Since it is WiSM no easy way of taking a packet capture beteeen 6500 & WiSM it self

HTH

Rasika

sreejith_r
Level 1
Level 1

Thank you for the useful information

Is there any way to identify which client has utilized the traffic. On a daily average it will be 6 gig traffic. But in one day it raised to 215gigabytes . Now my worry is it a client traffic , ap malfunction or some threat

Sent from Cisco Technical Support iPhone App

Like Rasika mentioned, you would need netflow, other thatn that, you will not be able to know what client.  One best practice also to eliminate traffic from AP's is to define your syslog for the AP's or else its a broadcast.  If you don't have a syslog, then put a bogus ip address:

config ap syslog host global

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***


Hello Team;

    We are having a palo alto for monitoring the traffic. In palo alto it is reported that from the sourtce ip address of the AP to the destination AP Manager ip address of the WiSM  there was 215 Gigabytes of CAPWAP traffic.

It cannot be normal as the amount of traffic is huge. So we are suspecting some misbehaviour. If we enable netflow or syslog on the AP what are the information we can capture.

Also please share your thoughts about the issue ?

It happened on last week and is there any way to findout is it was an actial capwap traffic or some client traffic.

Well, you have a source ip, what is the source ip... an access point?  If so, make sure that the ap isn't bouncing.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

The source is an AP and the destination is the AP Manager IP address of WiSM1 Controller-1.

Its reported only for one day and the association time of the AP is fine with the controller as well.

If you know the AP, then take a wireshark packet capture of that AP connected switch port while you are having high volume of traffic. That will tell you what that traffic is

HTH

Rasika

It was a one time traffic and now its normal

Then you should have a tool to go back & check (like netflow collector). Otherwise you have to keep a close look and if that occur again, take a capture at that time

HTH

Rasika

Also, check your palo alto device. Sometimes really weird things happens with PA...

Abhishek Abhishek
Cisco Employee
Cisco Employee

You can use Netflow tool  to analyze traffic and know whether it is normal or not.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: