Environment : In a multiple IAP cluster environment, customer may enable L3 mobility. When the same user VLANs are configured on the IAP uplink ports on different IAP clusters, there is a chance a loop could happen.
This problem exists in IAP version 184.108.40.206 or earlier code.
1. IAP is not accessible.
2. IAP goes down.
3. Core or edge switches have high CPU utilization.
4. Loops happen.
The trigger of the loop is the combination of the following two configurations:
- L3 mobility is configured in each cluster. Exact configuration is that the virtual controller IP of each cluster is configured under L3 mobility window. The VLAN subnets (HAT table) is optional.
- The same user VLANs are added into the IAP uplink trunk ports in each cluster.
When L3 mobility is enabled between IAP clusters, an GRE tunnel is created automatically between the Home Agent IAP and the Foregin Agent IAP w. When there is a broadcast packet sent by a roaming wireless client on its FA, the packet will be forwarded back to the HA via the GRE tunnel, and the HA floods it to its uplink port and the FA gets it via its uplink port and sends back to the HA again. Loops is happening now.
There are two solutions for this problem:
1. Disable L3 mobility on every cluster: remove all the virtual controller IPs from the L3 mobility window.
2. Do not configure same user VLANs in different clusters, and only allow the configured user VLANs for each SSID to the IAP uplink ports and disallow all other VLANs.