Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest running out of IPs

  • 1.  Guest running out of IPs

    Posted Jun 25, 2014 10:34 AM

    Since we updated to the 6.3.1.2 code, we have to keep an eye on the DHCP leases. Currently we have it set to 1 hour lease time and global idle timeout at 450 seconds and the DHCP server is from the controller (6000/M3). For example, I run show ip dhcp statistics and shows that there are 143 actives leases. Then I run show ap essid, it shows that there are 71 clients on the guest. I have run aaa user delete role role_name and clear ip dhcp binding to clear everything. TAC said to add aaa fast-age to the configuration which I have done along with lowering the global idle-timeout and lease times to their current levels.

     

     The most guest devices we have had in one day is 110.  I am looking to see what can be done to clear the bindings that have not been used for an mong of time other than the global idle-timer only release the bindings for these devices. Or can the controller run a clear ip dhcp bindings when free leases get to a certain number?



  • 2.  RE: Guest running out of IPs

    Posted Jun 26, 2014 12:07 PM

    I know that the M3 is able to handle 512 DHCP leases. I have (2) 256 DHCP Pools on it. One pool is for Guest and the other is for APs to failover to when the other controller goes down. Could I over subscribe the Guest DHCP pool to 512 and keep the AP failover set to 256, because the AP pool is not used until we do an upgrade. Would this be possible?



  • 3.  RE: Guest running out of IPs

    Posted Jun 26, 2014 12:27 PM

    jcameron,

     

    Your long-term solution is an external DHCP server.  If you need redundancy, it is cutting your already limited space into two; that is in addition to your clients not being able to keep the same ip addresses.

     

    You cannot setup any pools that would put the unused number of ip addresses over the limit.

     

    An external DHCP server is in your future, based on what you just described...



  • 4.  RE: Guest running out of IPs

    Posted Jun 27, 2014 08:32 AM

    Do you have a captive portal page on your guest network?

     

    We had capacity issues after we removed our captive portal. Mobile devices today try to connect to every open SSID they see & check if they have Internet access. This consumes a DHCP address. If you have a captive portal, the device appears to "give up" checking that SSID, at least for a period of time. We have found this has a large impact on DHCP address usage.



  • 5.  RE: Guest running out of IPs

    Posted Jun 27, 2014 08:34 AM

    bosborne,

     

    What lease time did you settle on?

     



  • 6.  RE: Guest running out of IPs

    Posted Jun 27, 2014 08:40 AM

    Are you using ClearPass? You can add some logic that puts devices that normally connect to your secure 1X network into a denyall role if they connect to your open/guest network which will deny them from getting a DHCP address.



  • 7.  RE: Guest running out of IPs

    Posted Jul 03, 2014 12:33 PM

    No, we are not using ClearPass.

     

    Bosborne - we are using a captive portal page. But I have noticed the Apple devices will stay at the page, because the device is set to ask to join network, which takes an IP away from the pool.