cancel
Showing results for 
Search instead for 
Did you mean: 

Wing Ap flood in vlan1 (controller vlan)

Wing Ap flood in vlan1 (controller vlan)

MrSurok
New Contributor

hello)
I have 200 ap310i access points and a stack of 2x vx9000. Initially, the access points and the controller were located in different vlans , and fortigate was responsible for routes between them. and all this is connected using x440g2 switches. Access points were losing their adoption. The switches show a CPU utilization of about 70-90%, which indicates that the points exchange a lot of multicast traffic. At the same time, mind diagnostics utility showed the recommended value of 1500. But, at some time,  write that mind is too small. Since this could be a consequence of fortigate's control of the storm from the points, I moved the access points and controllers to the same vlan (and clear setting on interface vlan1). As a result, the virtual controller froze. The rest of the VMs are also bad. The question is, if there are 200 access points in one vlan, how to correctly limit their multiple requests to each other and the controller?

1 ACCEPTED SOLUTION

Karol_Radosovsk
New Contributor III

Before diggin' into the WING system, I would strongly recommned to get acquainted with the "golden cookbook of the WING" - The Best Practices document available to download for example here: https://documentation.extremenetworks.com/WiNG/Implementation_Guides/WING5X_Reference_Best_Practices...

The part, which deserves most attention by far is the design & architecture based on the proper use of the MINT protocol and its levels and how it works together with the concept of RF-domains and L2/L3 communication between the APs and towards the controller.

By design, VX9000 should not be used for a Mint Level 1 (MAC/L2) AP adoption , the more, if there is more than 100 APs in one broadcast/rf-domain. Even, if they share the same VLAN (this should be avoided, but nevetherless...), the MINT MLCP VLAN setting should be disabled to allow for a L3 (IP) adoption only. In the result, only 1 AP (the RF-domain manager) will keep it's L3/IP (Mint Level 2) link active and talk to VX alone on behalf of all other APs. They should then keep all their Mint level 2 links inactive. If the VLAN/RF-domain works incorrectly, the APs will result in neverendig election of the rf-domain manager, which in the result, can make the whole network not work as desired (or malfunction at all).

Usually the VX (or a cluster of multiple VX, not "stack") resides somewhere in DMZ and should be accessible from the control VLANs (sites), where APs reside, only by a routed (L3) connection. On the LAN (switches) side, it is a best practice, that the control vlan is a native (untagged) VLAN and all other VLANs used for client traffic are tagged. This of course needs to be done on a "mirror" principle - same in APs as it is on the switches. These are all things, which someone, who manages a WING system should understand.

View solution in original post

4 REPLIES 4

Karol_Radosovsk
New Contributor III

Before diggin' into the WING system, I would strongly recommned to get acquainted with the "golden cookbook of the WING" - The Best Practices document available to download for example here: https://documentation.extremenetworks.com/WiNG/Implementation_Guides/WING5X_Reference_Best_Practices...

The part, which deserves most attention by far is the design & architecture based on the proper use of the MINT protocol and its levels and how it works together with the concept of RF-domains and L2/L3 communication between the APs and towards the controller.

By design, VX9000 should not be used for a Mint Level 1 (MAC/L2) AP adoption , the more, if there is more than 100 APs in one broadcast/rf-domain. Even, if they share the same VLAN (this should be avoided, but nevetherless...), the MINT MLCP VLAN setting should be disabled to allow for a L3 (IP) adoption only. In the result, only 1 AP (the RF-domain manager) will keep it's L3/IP (Mint Level 2) link active and talk to VX alone on behalf of all other APs. They should then keep all their Mint level 2 links inactive. If the VLAN/RF-domain works incorrectly, the APs will result in neverendig election of the rf-domain manager, which in the result, can make the whole network not work as desired (or malfunction at all).

Usually the VX (or a cluster of multiple VX, not "stack") resides somewhere in DMZ and should be accessible from the control VLANs (sites), where APs reside, only by a routed (L3) connection. On the LAN (switches) side, it is a best practice, that the control vlan is a native (untagged) VLAN and all other VLANs used for client traffic are tagged. This of course needs to be done on a "mirror" principle - same in APs as it is on the switches. These are all things, which someone, who manages a WING system should understand.

Thank you very much. This document describes very well what I needed. It took some time to corrent the routing on the network. The confusion of policies led to strange routes. After setting up the routing, setting up the access points and controller was a fairly simple task, given the knowledge gained from this document and your explanation. There are still a few issues left with a few points, but that's another topic.

ckelly
Extreme Employee

Was there ever a point where the APs were not losing their adoptions? Is this a new problem that started or has it always been occurring?

Inter-AP traffic should be limited. There is control traffic between APs though (the MINT protocol) that is needed.

You say that you have a cluster of VX9000 controllers, but then later mention a 'virtual controller'. This is something completely different that the VX9000. Do you actually have a virtual controller in use?

What are these 'rest of the VMs' that are 'also bad'?

To know how best to configure the system, we would need more information about how the controller and APs are deployed...and also would likely need to see the current configuration on the controller.

MrSurok
New Contributor

Yes, the access points worked a while ago. The problem was in routing between virtual networks. Everything worked out, I chose the IP adoption scheme, where the controller acts as the adoption manager and the RF domain manager. Access points receive information from DHCP 192 option, and information about adoption is also duplicated in the profile. Also, I used the RF domain manager selection priority settings. And lowered the MTU to 1300. And I limited flood control for access points on the switch ports.
Can you tell me where I can read more about how the RF domain works?

GTM-P2G8KFN