Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
2
Helpful
6
Replies

Vrrp multicast messages over wifi air

mikhailov.ivan
Level 1
Level 1

‎05-07-2023 06:14 AM

Hello colleagues! After googling about 30 min, I didn't find the answer, so I hope for your help. The simple question: there are 2 routers , let it be c8300 sd-wan as a VRRP pair , there is a WLC c9800-L and several APs 9100 connected to C9300 switches. Question is: why wireless clients can hear the VRRP mcast hello messages on the 224.0.0.18 group? Technically I understand why, but shouldn't it be blocked by default? It doesn't make a sense to sent this mcast messages over the air, it will utilize the airtime. Is there an elegant solution how to prevent it? Except the any kind of ACLs on switches ?  Even more on another wifi vendor I can't see these messages.

If there is a topic about this problem, please point out by finger.

Thanks!

Labels:
0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎05-07-2023 06:55 AM

Hello,

 The explanation could be this:

"When the multicast mode is enabled and the controller receives a multicast packet from the wired LAN, the controller encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast group address. The controller always uses the management VLAN for sending multicast packets. Access points in the multicast group receive the packet and forward it to all the BSSIDs mapped to the VLAN on which clients receive multicast traffic. "

This doc can be usefull to undestand the behavior and take action if required.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m-vewlc-multicast-cg.html

For example, the WLC have this possiblity:

Device(config)# wireless multicast

You could disable this with "no wireless multicast"  but of course, you need to consider the impact first.

mikhailov.ivan
Level 1
Level 1

‎05-07-2023 08:08 AM

thanks mate! Yes , I understand how it works in general, but is there any elegant solution for filtering unuseless vrrp messages over the air? Or only ACLs can help ?

0 Helpful

Flavio Miranda
VIP
VIP
In response to mikhailov.ivan

‎05-07-2023 08:36 AM - edited ‎05-07-2023 08:40 AM

I believe, never had to, you can disable the multcast option on the WLC ,as I said. This way you would change the WLC behavior related to multicast. 

Another option could be use the commamd "switchport block multicast' on the switch.

 A thirdy option would seggregate the broadcast domain but it may depend on the switch licensing.

 ACL may note filter multicast as this traffic is usually sent to the Control plane and not to Data plane.

 

mikhailov.ivan
Level 1
Level 1

‎05-08-2023 06:09 AM

yep, I understand that we can disable multicast completely , but it's not our goal, we need some other groups. It seems like ACL toward the wlc is a possible way, but I am looking for a more clear solution. Do you have a prove that m-cast is in control plane? AFAIK it's simple packets , but with specific dst-IP.

0 Helpful

Flavio Miranda
VIP
VIP
In response to mikhailov.ivan

‎05-08-2023 06:20 AM

 Any kind of broadcast as far as I know is usually directed to control plane. But you can test it by adding an ACL on the switch or  WLC.

0 Helpful

Rich R
VIP
VIP
In response to Flavio Miranda

‎05-08-2023 09:23 AM - edited ‎05-08-2023 09:23 AM

Multicast handling varies by platform and IOS so like @Flavio Miranda said I think best to just test with ACL on both switch and WLC to see whether either works and then use what's most convenient for you.

I agree that link-local multicast should not be forwarded by the WLC as per https://datatracker.ietf.org/doc/html/rfc5771#section-4

for protocol control traffic that is not forwarded off link.

so might be worth opening a TAC case and getting a bug raised for it.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card