FDB Table increasing on Wireless controller port of 8600

[BobB]

We have two Enterasys Wireless Controller's  controlling approximately 300 AP's and  400 Wireless Clients (split  between the  two  controllers).  Recently after  a failover  when  all  AP's shift  to  one controller or the  other, when  we push  the  AP's  back  to  their  home controller the  8600 begins enumerating  MAC  acddresses in its FDB for  the  controllers port at  a rate  of  10-15  per second. It  continues until getting  literally  up  to 4500 MAC on  the  port. The  increase is all on the  default  VLAN.  We can  only  stop  it  by  rebooting  the  Enterasys Controller and leaving  all  of  the  AP's  and  clients  on one or  the  other.  When we look  at  the  Enteraysy controllers FDB it  has only  150  entries.  if  all of  the  tagged VLAN wireless clients are being  duplicated, that would still only be 400 MACS.  MACS in the  table  appear  to  be coming  from other wired devices that  have  no  relation or contact  with  the  Wireless controller.  Anyone have any  thoughts how  it  is  getting  and  enumerating  these MACS?  This  happens on  either controller. Each  contoller is attached to different redundent 8600's.

[Dominik]

Hi Bobb,

can you provide the SW that is running on the ERS8600 and the modules that you have in the ERS8600.
How are the Enterasys wireless controller connected to the ERS8600 ?

Cheers

[BobB]

The  8600's are running 4.1.8.2 code. The Wireless controllers are connected via  Copper GBics to 8608GBE  blades.  Each  switch  has 4- 8608SXE  blades  and 4-8608GBE blades the switch  is  about  80%  populated, running S-SMLT's to  multiple closets.

[Dominik]

Wich wireless controllers from Enterasys do you use and how are they connected to the ERS8600 ?
Is any kind of link aggregation configured on the wireless controllers ?

Could you find out where these ~4500 MAC addresses should be learned correctly ?
Are this really existing MACs in your network or some unkown bulk MACs ?

[BobB]

We are using  the Enterasys C2400 Wireless controllers with  the  most  current  software 7.14.  The  Controllers are using  a single  Gb connection  to  the 8600.  Over  that  trunk there  are three Wireless VNS that  are  bridged at  the  controller the trunk  also  carries managment VLAN.  The  MACs all appear  to be valid  devices on  our  net.  What we see are duplicate  entries where the  same MAC appears on  two or more different VLANS. Doesn't  appear to be a MAC  flooding  attack because we can stop  it  by  warm  booting  either controller that  is  having  the  issue.  It only occurs when  we release the  access points  back  to  their  home controller.  If  the AP  is re-booted and not  pushed  and re-homes on  its  own, it  doesn't  appear to immediatly  start enumerating MACS.  I just trying  to  figure out  what  the  8600  is  seeing  that it  believes is a valid  FDB  entry.  A trace using  port  mirror doesn't  even  show  the bulk  of  the  MACS  navigating the port. 

[lsimonet]

Hi Bob,

I am sorry to hear you are having these issues but it does sound like an interesting problem.  I am not familiar with the Enterasys controllers but I was just wondering how the 2 controllers keep each other in sync?  Do they have a dedicated link between them or via the connection with the 8600s?

I am going to play Devil advocate here for a minute .....  The 8600s in question are currently running a version of code which is really no longer supported.  Yes I understad this has been working but quite clearly you seem to have come across something now which is not working as it should.

There has been a number of changes around the IST and Syncronisation of FDB put in place from v4.1 to v5.1 to improve stability and the issue you are discussing does sound like a problem in or around that area.

I am not suggesting that you should just upgrade to 5.1 but perhaps you should start considering the possibility.  Even more so if you can induce the problem at will.

If nothing else it would put you in a position where you could just Open a case with the Support Team at Avaya and not be told you are running on unsupported code....

L.



 

[BobB]

We have  the  8600 upgrade budgetted for  next  year. Since we are so  close to  the  end of  the  year and  really  have  a work around for  this  problem (Not  Split  the  AP's) we elected to  wait  until January  to  upgrade the 8600 hardware  and software.  Upgrading  to  an  8800.  I  was just  hoping  to  gain some insight  as to how  this  issue  can  occur.  We are going to put  a tap onto  the  connections  and see  if  there  is  Sniff information  that  we may  be  getting  dropped by  the  port  mirror.

The  two  Wireless controllers have  no  direct  link to  each  other and sync up  over their  respective 8600 connections.

We have  an  open ticket  with Avaya.  However, as you  said, since this  is  unsupported code we aren't  really  getting  any  tier two  support.  The  Enterasys engineers have never seen  this  issue  before and are really  hard pressed for an answer. 

Thank you  for  comments, and suggestions.

[Dominik]

Hi Bob,

I had a few years ago a similar problem with a Extreme Networks wirelss controller.
I think Extreme Networks, Siemens and Enterasys WLAn controllers are all the same boxes only with different Labels on it.

I had also the issue that MAC addresses where learned on the Uplink ports to the WLAN controllers that shouldnīt be learned on that port.
We couldnīt wait at the time for a SW fix in the next SW version, so I had to find out a workaround.
I moved the Uplinks from the Core to a stack with 2 ERS5520 Units and distributed the WLAN controller Uplinks to the 2 units.

That solved the problem in my case.

[BobB]

Interesting  thoughgt  we have a 5530 that  might  just  work  for  a test.  Thanks for  the  suggestion.