Wireless Access

I'm having issues with wireless connectivity. I'm seeing high RF capacity utilization (via Airwave) even on access points with very few users. And I'm also seeing dropped pings sent to internal IP addresses and inconsistently long ping times - even on access points with a direct line-of-sight to the client device and relatively few users connected. I suspect that broadcast/multicast may be eating up airtime since there are approximately 600 devices on a single subnet. BC/MC Optimization is already applied on the SSID. I'd like to just drop multicast and broadcast on the VAP - but it would break mDNS. I'd also like to implement VLAN pooling but our current network access control solution (we're getting Clearpass soon) relies on DHCP reservations - which could get messy if a MAC hashed to a different value because I needed to add another vlan to the pool. What are my options? Drop multi and broadcasts and implement AirGroup? Or am I barking up the wrong tree and there may be something else that could be causing poor connectivity?

Turn on Drop Broadcast and Multicast on all of your Virtual APs.

Turn on Airgroup.

Have an Iced Tea.

 

Ok, I'm ready for my iced tea, but...

 

I've turned on Airgroup, I'm ready to drop broad/multicast on the VAPs... so I go to the global settings on the stateful firewall to check Broadcast-filter ARP and... there's no checkbox! Is there something I'm missing? I enabled 'Drop Broadcast and Multicast' on the master controller and pushed it to the local just to see if the checkbox would appear - but no joy.

 

Any ideas? I'm guessing this is something simple that I'm missing. The Broadcast-filter ARP checkbox is AWOL on both the master and local.

 

 

 

That parameter is located in the Virtual AP profile.

Ok, but the warning I get when enabling 'Drop Broadcast and Multicast' is:

 

Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

 

Per the user guide, I thought this was done globally on the stateful firewall:

 

Select the Drop Broadcast and Multicast checkbox to filter out broadcast and
multicast traffic in the air.
Do not enable this option for virtual APs configured in bridge forwarding mode. This
configuration parameter is only intended for use for virtual APs in tunnel mode. In
tunnel mode, all packets travel to the controller, so the controller is able to drop all
broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most
data traffic stays local to the AP, and the controller is not able to filter out that
broadcast traffic.
IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter
ARP parameter in the stateful firewall configuration to prevent ARP requests from
being dropped. To enable this setting:
1. Navigate to Configuration > Stateful Firewall.
2. Click the Global Setting tab.
3. Select the Broadcast-Filter ARP checkbox.
4. Click Apply to save your settings before you return to the Virtual AP Profile.
Note also that although a virtual AP profile can be replicated from a master controller
to local controllers, stateful firewall settings do not. If you select the Drop Broadcast
and Multicast option for a Virtual AP Profile on a master controller, you must enable
the Broadcast-Filter ARP setting on each individual local controller.

 

But the checkbox is missing although the parameter is present:

 

 

---

@ak74 wrote:

Ok, but the warning I get when enabling 'Drop Broadcast and Multicast' is:

 

Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

---

that is a warning that always appears even when you have that setting turned on, would be nice if it gets check before the message is shown.

Do not touch the globsl settings. Make sure it is enabled on the virtual ap profile, as indicated in the screenshot.

Looks good - I enabled as suggested and ARP still works:

 

C:\Users\ak74>arp -d

C:\Users\ak74>arp -a
No ARP Entries Found.

C:\Users\ak74>ping 172.16.0.1

Pinging 172.16.0.1 with 32 bytes of data:
Reply from 172.16.0.1: bytes=32 time=3ms TTL=64
Reply from 172.16.0.1: bytes=32 time=1ms TTL=64
Reply from 172.16.0.1: bytes=32 time=1ms TTL=64
Reply from 172.16.0.1: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 3ms, Average = 1ms

C:\Users\ak74>arp -a

Interface: 172.16.6.118 --- 0xe
  Internet Address      Physical Address      Type
  172.16.0.1            00-17-c5-99-a1-f0     dynamic

 

So why does the User Guide for 6.3 suggest differently? Does converting broadcast ARP to unicast on the VAP trump the global Broadcast-filter ARP setting?

Trumps the Global Setting.