Wireless Access

Hi,

Can anyone tell me if it's possible to packet capture a wired port on an AP please? 

I'm trying to understand what is causing this traffic pattern. The port is in tunnelled mode and the issue has been seen on multiple wired ports.Wired port last 5 daysWired port last day

Thanks in advance,

Eleanor

I'm pretty confident that this is not possible at this time. You can run packet captures from the AP for data in the Air, but not on the APs wired port.

it is possible to capture AP wired port traffic (ap packet-capture wired-start and co.), but there are some caveats... Before we get to that, is this a RAP network with wired port per RAP ?

Thanks...it's not a RAP, just a campus AP (303h) with a wired port enabled.

ok, then the packet capture should work without too much trouble, the AP will send to the capture destination directly via eth0, and via its default route if required.

if you have a large number of AP wired enet ports enabled, please consider to enable "bcmc-optimization" on the controller vlan interfaces of the vlan(s) hat are being sent to the APs. If there is no l3 vlan iface on the controller for those vlans (eg. l2 only) create one, and then enable bcmc-opt on it.

bcmc-optimization will stop the flooding of L2 traffic from the controllers LAN side into the tunnels that go to the AP enet ports. This can have adverse affects on legit mcast or bcast traffic, so make sure you assess the impact before enabling it.

Do we need to have l3 on the vlan interface for the bcmc-optimization to take effect? Historically we had this but were advised by tac to remove the addresses to resolve another issue we were seeing

How do I invoke a packet capture on the wired port?

Thanks

---

@emm502 wrote:

Do we need to have l3 on the vlan interface for the bcmc-optimization to take effect?

Thanks

---

yes. with wired ports operating in tunnel mode it's bordering on mandatory. If they are in bridge mode then it is not required (i forgot to ask this before).

---

@emm502 wrote:

Historically we had this but were advised by tac to remove the addresses to resolve another issue we were seeing

---

Do you have a case number for that ?

---

@emm502 wrote:

How do I invoke a packet capture on the wired port?

---

https://www.arubanetworks.com/techdocs/ArubaOS_84_Web_Help/content/arubaframestyles/1commandlist/ap_packet_capture.htm

specifically: wired-start  and wired-stop, just run wireshark on the target. port number doesnt matter, choose something like 5555 or whatever, the target will generate icmp proto unreachable frames,just ignore those.

additionally, presuming these are tunnel mode ports, then do you see any corresponding spikes in the controller, both from a traffic perspective and also from "show datapath utilization" and "show datapath frame" (look for the 'flood frames' counter increasing rapidly (or more rapidly than normal))

Ok, thanks. Yes they are in tunnel mode, just to confirm - any vlan that is configured on a wired ap profile should have a l3 address on the vlan interface of the controller and bcmc-optimization enabled?

Yes, we are seeing corresponding spikes on the controller, it became noticeable more recently as we don't have a lot of users on campus at the moment.  Before covid-19, when usage was high, we were seeing spikes in the datapath cpu...I'm wondering now if it was related to this issue.

I can't find the case number I'm afraid and it was a former employee of the University that dealt with it.  From memory it was something to do with the controller policing vrrp packets.

Thanks again

---

@emm502 wrote:

any vlan that is configured on a wired ap profile should have a l3 address on the vlan interface of the controller and bcmc-optimization enabled?

Vlans tunneled to wired ports will replicate all L2 bcast and mcast that appears on the network, even things like STP BPDUs will be replicated to every AP that has that vlan tunneled. This can create a rapid increase in traffic should there be something generating a lot of bcast or mcast on the LAN side of the controller. It might also be that there is a loop (maybe) where some AP enet port ultimately reaches back to the same networks as the controller.

This may be unintentional, especially if sharing VLANs between wired and wifi, where sometimes client devices do odd things and copy packets between wired and wireless - this is not without precedent.

It is true that bcmc opt will prevent vrrp from flooding, but I don't think there should be a case where some user side wired VLAN should be needing VRRP.

Perhaps you can look to start collecting "show datapath util" and "show datapath frame" with airrecorder, then during the next spike, correlate it with the stats captured by airrecorder ?

The periodic nature of the spike is interesting, what is the actual time in between spikes in the 1day view and does it consistently happen between the same hours of the day (and what of after hours, weekends etc.)?

Ok...I did wonder if it was a loop somewhere but couldn't quite work out how that could be, however, the vlan is shared with wifi clients.

The times it happens aren't consistent but when it does happen there seems to be a period of exactly 15 minutes when the port goes quiet and then the traffic starts again.

I think I have a few things to go on here...thanks for your help.