Wireless Access

 View Only
  • 1.  Help tracking down traffic problematic traffic

    Posted Aug 22, 2024 02:17 PM

    We recently had a problem show up where some broadcast traffic (DHCP, ARP, and IGMP) is being sent from our router's MAC address to the ethernet broadcast address, but not from our router, and only on one single VLAN. I used switch logs and MAC tables to track the traffic to one of our wireless controllers, but am struggling to track it further than that. We have a cluster of two 7220 controllers. The controllers don't seem to have any comprehensive MAC address table, and the router's MAC isn't showing up as a client. How can I figure out what the actual source of this unwanted traffic is?



  • 2.  RE: Help tracking down traffic problematic traffic

    Posted Aug 23, 2024 03:31 AM

    General suggestion : (Please refer to the appropriate AOS CLI Reference Guide for exact syntax)

    It sounds like we're interested in identifying the ingress 'port' of the SRC_MAC ?

    On the controller/MD/BGW:

    The datapath has built in firewall traffic thresholds (see "show firewall | inc Rate"), if these are policing, a great indication of potential problems.

    show datapath bwm

    show datapath debug dma  (ideally counts are zero)

    show datapath cp-bwm table

    If IGMP is enabled on the controller VLAN:

    show ip igmp group, then "show ip igmp group maddr x.x.x.x"

    (this is the L2 MAC forward table) - should reveal where the SRC_MAC is learned/ingressing.

    show datapath bridge 

    show datapath frame spoofed-macs

    If one has an idea of the actual traffic being, or to be sent -  packet-capture at the controller is helpful. (see CLI Reference guide 'packet-capture'.



    ------------------------------
    Shawn Adams
    ------------------------------



  • 3.  RE: Help tracking down traffic problematic traffic

    Posted Aug 23, 2024 03:46 PM

    Thanks, those are some really useful commands! Unfortunately they haven't helped too much in this instance. It isn't showing up as a spoofed mac, and the datapath bridge L2 MAC table always shows it on the controller's uplink because it always gets immediately overwritten by legitimate packets from the router. Is there any way to turn on any sort of MAC flap logging?