Education

Reply
Occasional Contributor II
Posts: 18
Registered: ‎12-04-2008

Bradford NAC detecting MAC addresses on Master and Local controller

Hello, our Bradford NAC is detecting some MAC addresses on both the Master and Local controller simultaneously :confused:. One of the SSIDs is used on both controllers and we split up our APs so that entire buildings are split between the controllers. We assume that the MAC duplication happens when a user goes from one building/controller to another. Campus Manager thinks that a MAC address spoof is in process. :rolleyes: We are not using the Mobility option.

SCII - master - ver: 3.4.1
SCI - local


....don't have the posting rules memorized...I'll post back if I'm missing some info.
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Entire Building Split Between Controllers

[ Edited ]

Firstly as a design issue, it is not advised to split a building between two controllers if you can help it due to all the mobility events that are created. It is also harder to track clients this way. If you decide to do this, however, make some sort of effort to have both controllers place clients on the same layer 2 networks, so they might be able to maintain some sort of state.

With that being said, the current deployment is certainly an issue, because a user entry is not removed from a controller simply because it roams to another controller. Bradford will definitely see that user on each individual controller and report what you are seeing, depending on how often your controllers are polled. The only answer might be to change your design to avoid this.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎12-04-2008

thanks for bitching

I appreciate you replying, but you realize you haven't actually provided any useful information. What you have told me is that I am doing everything wrong and I should change my sinful ways. Sorry that you are having a bad day.

I do apologize for the confusion though because I did not state our setup clearly. Entire buildings are either on one controller or the other, buildings are not split up between controllers.

I can't stress how disappointed I am in your answer. It would seem that if you can have more than one controller that this issue...frankly wouldn't be an issue. Going forward we are adding a third controller, so I need a solution.
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Bradford

[ Edited ]

Well I'm sorry that you are disappointed and that my explanation was not helpful. I submitted a suggestion based on false assumptions. Since you have different buildings on different controllers, can Bradford explain why you are getting that Spoof error?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎12-04-2008

Re: Bradford NAC detecting MAC addresses on Master and Local controller

The Mac Spoof error seems valid to me. If the same MAC shows on two switches then a Mac Spoof gets generated...well its the same idea just wirelessly. Make sense?

I played with the idle ageout timers with no satisfactory result.

Also, we have found that clients are flipping back and forth between controllers when they should only be on one or the other. These clients can only successfully associate with one controller at a time due to the distance between AP groups/buildings.

I'll try to post Bradford log shortly.
Occasional Contributor II
Posts: 18
Registered: ‎12-04-2008

Re: Bradford NAC detecting MAC addresses on Master and Local controller

Here is an example client. Aruba6000 and Aruba128 are names of the two controllers. The VLAN 501 has the same DHCP pool for IPs on both controllers.

Wed Sep 22 08:29:07 EDT 2010 Wed Sep 22 08:43:11 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:43:11 EDT 2010 Wed Sep 22 08:43:25 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:43:25 EDT 2010 Wed Sep 22 08:43:48 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:43:48 EDT 2010 Wed Sep 22 08:43:59 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:43:59 EDT 2010 Wed Sep 22 08:45:22 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:45:22 EDT 2010 Wed Sep 22 08:49:00 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:49:00 EDT 2010 Wed Sep 22 08:49:32 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:49:32 EDT 2010 Wed Sep 22 08:52:51 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:52:51 EDT 2010 Wed Sep 22 08:52:55 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:52:55 EDT 2010 Wed Sep 22 08:54:17 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:54:17 EDT 2010 Wed Sep 22 08:54:45 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:54:45 EDT 2010 Wed Sep 22 08:57:46 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:57:46 EDT 2010 Wed Sep 22 08:58:06 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:58:06 EDT 2010 Wed Sep 22 08:59:48 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 08:59:48 EDT 2010 Wed Sep 22 09:00:08 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:00:08 EDT 2010 Wed Sep 22 09:00:25 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:00:25 EDT 2010 Wed Sep 22 09:00:29 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:00:29 EDT 2010 Wed Sep 22 09:02:14 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:02:14 EDT 2010 Wed Sep 22 09:02:16 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:02:16 EDT 2010 Wed Sep 22 09:05:48 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:05:48 EDT 2010 Wed Sep 22 09:06:19 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:06:19 EDT 2010 Wed Sep 22 09:06:42 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:06:42 EDT 2010 Wed Sep 22 09:07:24 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:07:24 EDT 2010 Wed Sep 22 09:10:06 EDT 2010 mjn782 Wehde, Erin Aruba6000 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Wed Sep 22 09:10:06 EDT 2010 Wed Sep 22 09:11:34 EDT 2010 mjn782 Wehde, Erin Aruba128 VLAN VLAN0501 10.128.78.244 00:25:BC:AA:33:96 0 0 0 0
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Open a case

I suggest that you open a case with Aruba support so that they can peel back the layers of your design so that you can achieve a favorable result. Your solution, due to the Bradford component is not simple and would require you to divulge alot of personally identifiable information about your clients. We probably would not be able to do that in this forum, so I suggest you open a case.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: