RE: WLC & ARP

Joe,

I can offer some insight and if necessary run some debugs right now on a real network to determine this for you.

First, re:

>Looking on my L3 switch connected to the AP, it definitely has all the IP/MAC pairings of the wireless clients I'm just wondering how they got there.

In many implementations the L3 switch is the DHCP server... I almost NEVER use the WLC as the DHCP server as I had some issues with this and I like to keep it all on the switch for both the clients and the AP's themselves, receiving option 43 as an IP address. So if the wireless client takes a dhcp lease, for at least the arp timeout period (14400, etc) it's going to be in the arp table... of course just like any wired switch, clients need only send 1 frame per 300 seconds to remain in the cam table. With the dozen or so protocols running by default on windows 7 and mac OSX is pretty easy to do this.

So back to your core question - does the WLC scope the ARP broadcast to 1 ap (perhaps based on authentication cache, 802.1x mac entry, etc) or must it forward it each time to all ap's?

I cannot login to the AP's and do debugs in LWAP mode so I propose this test -

1. I'll associate 2 laptops with 2 different AP's on the same WLAN managed by a WLC, giving them both static IP Addresses.
2. One laptop will have a SECONDARY IP address (and therefore will not source any Microsoft windows 7 multicast discovery packets or anything else from this address)
3. I'll run wireshark on both laptops in promiscuous mode, etc.
4. I'll ping the one laptop's SECONDARY IP ADDRESS from the layer 3 switch (which is also the dhcp server for the segment although again the laptops will not be doing dhcp)
5. I'll advise if I see the ARP broadcast on one or both laptops. (this is our control for when the IP to mac cannot be "known" ahead of time, as in the case of dhcp snooping, but using a wireless authentication protocol that may keep mac to ip info cached on the WLC and one or more AP's for roaming)
6. Next, to determine if the WLC can actually scope ARP broadcasts if mac = "KNOWN" (by any method) wait 600 seconds for my L3 Switch arp timeout and ping laptop A, while running Wireshark on laptop B.
7. If I DO NOT see the ARP BROADCAST on laptop B - the WLC obviously scoped the ARP broadcast to only the AP where laptop A was registered.

Thoughts?

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joe Astorino
Sent: Wednesday, October 26, 2011 1:36 PM
To: Groupstudy
Subject: OT: WLC & ARP

I have been searching on this topic for a while but can't find a specific
answer. Does anybody know how a Cisco WLC handles ARP broadcasts for
wireless clients? Let's say a user on the wired network wants to talk to a
wireless client. You have a WLC connected to a L3 switch somewhere in your
infrastructure and several LWAPs. The packet gets routed to the L3 switch,
and the L3 switch has a directly connected L3 interface for the client where
the WLC lives. At this point the L3 switch does an ARP broadcast to find
the MAC address of the wireless client. That broadcast gets to the WLC --
Now what?

It doesn't seem to make sense that the WLC would forward the ARP broadcast
over an LWAP tunnel to EVERY access point and that the access points would
then forward it to every client. So, what happens? Is it some sort of
proxy arpish type thing the WLC does? Things I have read so far seem to
indicate that the WLC answers the ARP request with the MAC of the client, as
it knows the MAC from when the client associated with the remote AP but I
can't find anything that specifically confirms this.

Anybody know? Looking on my L3 switch connected to the AP, it definitely has
all the IP/MAC pairings of the wireless clients I'm just wondering how they
got there. Thanks!

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net