Wireless Access

My company has 50 locations on our mpls network all with multiple AP’s. All AP’s have 2 SSID’s for users to connect to. One SSID is for Employees and one is for Guests. The AP’s register to a 3600 controller in our data center and the 3600 controller is also the gateway for Guest wifi traffic. The gateway on the controller is a /22 network and has 1024 IP addresses for our guests to use.

We are having an issue now because all of the addresses are getting leased to guest users and we now need more IP addresses to hand out to guests. We are not certain that lowering the network mask to a /21 is the answer because of all the broadcast traffic on such a large domain. Another factor to mention is that our Guest SSID creates a GRE tunnel back to the 3600 controller and all guest traffic at all 50 locations go through the tunnels as well.

Can someone please guide me on where to start combatting this issue? In my mind I want to create another /22 Network gateway on the 3600 controller and have 25 sites build GRE tunnels to the existing /22 gateway and have 25 sites build tunnels to the new /22 gateway and all guest traffic would go through the tunnels and back to the controller.

I am hesitant to start planning this design because I am not certain this can be done or how to configure it or if there is a better way that I am not aware of. Can someone help me out?

First thoughts ... what is your DHCP lease time for the guest network? Could that be shortened in order to turn over leases more quickly for the drive by and short term visitors?

 

Do you have broadcast filtering enabled? Depending on the other traffic on the guest network, setting it to broadcast-filter all should help control the broadcasts you're concerned about with the larger subnet.

 

Ultimately, what traffic do you need to support for guests? Any peer-to-peer or mDNS traffic? You could separate your 50 sites across multiple AP Groups, so that some sites point guest to vlan 100 on the controller, others to vlan 101, then 10n+1, etc. This would use a different VAP profile for each AP Group, but is possible. Keeping the existing design for the quickest resolution, I would investigate the current DHCP lease times and shorten them to ~6-8 hours if not already there.

Good points. Our lease time is 5 minutes for the entire /22 subnet. This is the lowest we can configure it. Pretty much web traffic only goes through all our guest networks. Maybe some webmail also. Where would the broadcast filter get placed in the config?

I assume that if a guest device sends a DHCP discover message, it would only go to a specified DHCP server address via the GRE tunnel rather than hit every device on the /22 subnet at all 50 locations? I would be very interested in learning how that works & how to configure both solutions if you could pass along a document? Thanks.


Sincerely,

Mario Marquez

Something else to keep in mind. I doubt this is your case - but interesting nevertheless! Any "interesting" mac addresses showing up on your guest network? Had a fun situation a couple years ago when we upgraded our Access Points to Aruba at a farm location. Saw a few hundred sequential mac addresses popping up on the guest network as "Ezurio", did some research, and several folks were positive "oh yeah, that's a classif DHCP Exhaustion attack", then I found one person that commented "are you near any rural areas/train tracks/highways...turns out - some cargo trains and trucking companies contain inventory devices that will automatically connect to any open network. About 700 unique devices showing up on the guest network over a period of a few days (maybe 10 or so an hour). I finally caught one in the act - it auto connects to an open network and attempts to establish a VPN connection for Omnitracs.com -> mcp200-ssl-lv2.omnitracs.com

• https://www.youtube.com/watch?v=Ojfh9tMd6LA
• https://www.ccjdigital.com/qualcomm-delivers-new-wi-fi-service-on-mcp200/

Some companies got around this by blacklisting that DHCP Pre-fix of Ezurio - although I've seen that manufacturer used in IoT devices such as a Proteus Sensor.

 

Interesting/Humorous Links:

https://community.ubnt.com/t5/UniFi-Wireless/BIZARRE-unidentified-wireless-client-issue/td-p/909536
https://forum.mikrotik.com/viewtopic.php?f=2&t=76847
af@afmug.com/msg23985.html" target="_blank" rel="noopener noreferrer nofollow noopener noreferrer">https://www.mail-archive.com/af@afmug.com/msg23985.html
https://www.lairdtech.com/News

5 minutes is probbly way to short. Clients will be attempting to re-ip roughly every 2.5 minutes, so having the lease that short is increasing the amount of DHCP traffic happening in the background.

 

The DHCP discover message is a broadcast, so how it progates will depend on how/if you have broadcast filtering enabled on the VAP. DHCP renewals (which should be the majority of your traffic, unless guest connections are typically < 2 minutes in duration), will be unicast to the original DHCP assigning server, and revert back to broadcast if renewal fails.

 

That said, if you're cycling out IP allocations every 5 minutes and still running out of IPs, then you're on the right track to increase the number of available IPs either through increasing the scope from /22 to /21, or by splitting the sites across different /21s.