ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Broadcast / Multicast causing network problems

Hi all,

I've been having some general wireless problem since we installed our Aruba system (5.0.3.0 AOS, ~130APs, reaching 2,000 concurrent users) and with the assistance of support finally had this identified as the 2.4GHz radio being busy >80% of the time for most APs. Further investigation identified broadcast and multicast to be the cause of this.

We have always enabled Deny Inter User Traffic in the stateful firewall. I was under the impression that this was supposed to deny all traffic between wireless clients however it appears to only deny unicast (so bc/mc is allowed). This sounds like a bug to me, but I've been told it's intended behavior.

There is the "Drop Broadcast and Multicast" setting (SSID profile) and enabling this made a big difference - however: we have one SSID 'eduroam' where the RADIUS server can assign different VLANs based on user credentials. One of these VLANs required multicast from the wireless clients to discover (wired) printers and enabling this causes printing to break. As the setting is per SSID we can't enable it for just specific VLANs. Having lots of SSIDs isn't an option.

The firewall policy creation allows an alias "user" and I have tried creating a rule where any source, alias user destination, udp port 5353 (mdns, a common multicast packet) is dropped however this does actually drop the packets (I guess because the packet destination is a multicast address and the PEF will be trying to match the specific IP of the user?).

We have enabled "BC/MC Rate Optimization" and we might look at removing the 1MB association rate (this needs investigation to confirm no users actually use it).

Does anyone have any suggestions for what else we can try? Any comments on if any of these things should actually be bugs (like dropping all inter-user traffic only works for unicast)? And a more general question of what people do to deal with broadcast/multicast on large networks?

Cheers,
-Jeff
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Broadcast / Multicast causing network problems

No doubt, broadcasts are the enemy of wireless. Dropping broadcasts at the Virtual AP does deal with this. If you are having users that need access to resources/applications that rely on broadcasts then you need to permit those applications and deny all others (turn off the drop broadcasts knob). The bad part is that your users pay a great penalty for any protocol that broadcasts all the time, but is not used often. Every broadcast frame that is sent by a client is seen and "processed" by every device on the WLAN. Ethernet has dealt with this by moving to a switched model, but the same is not available for wireless.

ip access-list session permit_mDNS
any any udp 5353 permit
!
ip access-list session deny_SSDP_and_UPnP
any host 239.255.255.250 any deny
any host 239.255.255.253 any deny
!


Please consider augmenting this with a print server or applications that uses unicast instead.

Deny inter-user-bridging was only intended for unicast traffic between users.

I will let others weigh in, but deploying unicast applications/services is probably the best long-term solution for this.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Broadcast / Multicast causing network problems

Thanks for the reply Colin,

Unfortunately the print service (and most other services) are out of my control. I can make suggestions, and in the future might be able to influence; but currently I need to provide a working service to support what is currently being used.

My current plan is to create a user role which drops all bc/mc traffic and apply that as the default user role. I will then have another role which allows some bc/mc and user the aaa server group to apply this role when the radius server returns a specific VLAN known to need mc.

Considering how much of a problem bc/mc can be, I am very surprised that there isn't an option to stop it inter-client, as there is for unicast. I'm also frustrated the wording incorrectly says "Deny Inter User Traffic" and not "Deny Inter User Unicast Traffic" - whatever might be intended had I known it was only Unicast it would have had an impact on if we chose Aruba as our wireless vendor.

I'd still be interested to hear what other people do about bc/mc (maybe they are able to enforce services that don't rely on multicast).

-Jeff
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Broadcast / Multicast causing network problems

Broadcasts and multicasts are not inter-client, because they are not sent to a client or user, per se. The feature was not meant to limit broadcasts.

If you block broadcasts in one role, but allow them in another role, your users in the non-broadcast role are still subject to those broadcasts from users in the broadcast role, because they have to see and process them over the air.. That is how the standard works. Wireless emulates wired as much as possible, but it has to be designed differently because the medium is shared, regardless of the vendor you choose. Since your printing method is not going away any time soon, observe the broadcast traffic that your clients are sending and and block every broadcast/multicast destination, except for what you need. That is probably the best way to manage it in the short term.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Broadcast / Multicast causing network problems




The role will be applied based on VLAN assignment, so all users in vlanX will be allowed to transmit bc/mc (so all other users in the same VLAN will receive it) however users in vlanY will have it blocked in their role so they will only see bc/mc traffic which is generated in the wired part of the network (mostly this will be a wireless client only network, so nothing on the wire will generate bc/mc).

Search Airheads
Showing results for 
Search instead for 
Did you mean: