- Online Banking Security Still Not Up to Par, Says Which?
- Salesforce debuts Zero Copy Partner Network to ease data integration
- High Performance Podcast Duo to Unveil Secrets of Success at Infosec
- 7 tendenze del 2024 per una valida strategia cloud aziendale
- Bridging the widening cybersecurity skills gap
WLC Discovery via Broadcast
WLC Discovery via Broadcast
original link # http://mrncciew.com/2013/05/04/wlc-discovery-via-broadcast/
As outlined in one of my previous post (AP Registration) there are multiple methods (Broadcast, Static configs, DHCP option 43, DNS) available for a Ligthweight Access Point (LAP) to discover a WLC. In this post we will see how broadcast mechanism can be used for this.
After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 CAPWAP discovery message on to its local subnet Normally these broadcast are limited to local subnet as it will not cross layer 3 boundaries. If you want to forward these to a particular WLC you have to configure WLC IP address in “ip helper–address” on layer 3 interface where LAP is associated with. Then L3 device forwards these broadcasts to the IP addresses configured with the ip-helper command on the interface on which the broadcast is heard.
When you use the ip helper-address command, DIRECTED BROADCASTS, as well as unicasts, eight different UDP ports are forwarded automatically. Those ports are
1. Trivial File Transfer (TFTP) (Port 69)
2. Domain Name System (Port 53)
3. Time Service (Port 37)
4. NetBIOS Name Server (Port 137)
5. NetBIOS Datagram Server (Port 138)
6. Boot Protocol (BOOTP) Client (Port 67)
7. Boot Protocol (BOOTP) Server (Port 68)
8. TACACS service (Port 49).
Since CAPWAP broadcast uses UDP port 5246 it must be explicitly forwarded on the router. You have to use “ip forward-protocol udp <port-no>” CLI command for this. Here is our testing set up.
CAT2 & CAT4 is having layer 3 link in between. LAP connected to CAT4 is configured for obtaining IP addresses from Microsoft DHCP server. Only options provide are IP address & default gateway (No DNS or Option 43). We will use broadcast forward method to register this AP to WLC1 connected to CAT2.
Here is the basic config of CAT2 with respect to VLAN 121 where AP is connected to.
interface Vlan121 description MOLWAP1 ip address 10.10.121.193 255.255.255.192 ip helper-address 192.168.200.1 ! interface FastEthernet1/0/3 description TEMP-LWAP-03 switchport access vlan 121 switchport mode access spanning-tree portfast
Here is the AP console output. You can see AP got an IP from the DHCP server & but could not find an WLC to join.
*Mar 1 00:13:22.248: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41 *Mar 1 00:13:32.927: status of voice_diag_test from WLC is false *Mar 1 00:13:32.987: Logging LWAPP message to 255.255.255.255. *Mar 1 00:13:35.705: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source *Mar 1 00:13:35.796: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:13:35.891: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:13:36.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Mar 1 00:13:36.715: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated *Mar 1 00:13:36.809: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up Translating "CISCO-CAPWAP-CONTROLLER.mrn.com"...domain server (192.168.20.7) *Mar 1 00:14:43.008: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP. Not in Bound state. *Mar 1 00:14:51.523: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination. *Mar 1 00:14:51.533: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41
If you do “debug ip udp” on CAT4 you will see the UDP traffic on the switch. Since CAPWAP control is using udp 5246 port, you should see traffic coming for that. (Be careful with enable this debug in production network as there may a flood of debug messages could impact the device performance). In my test lab no problem at all 🙂
As you can see below, CAT4 receives UDP broadcast (destination port 5246 which is CAPWAP control).
CAT4#debug ip udp UDP packet debugging is on CAT4# .May 3 06:21:07.421: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:21:17.361: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:21:27.302: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:21:31.672: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76 .May 3 06:21:38.232: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=133 .May 3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=310 .May 3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=310 .May 3 06:21:42.712: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308 .May 3 06:21:42.712: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308 .May 3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=328 .May 3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=328 .May 3 06:21:42.729: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308 .May 3 06:21:42.729: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308 .May 3 06:21:45.833: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115
Normally broadcast packets are not forwarded to other interfaces (except the 8 different type of packets described earlier). Since CAPWAP broadcast not belongs to those you have to configure the switch to forward udp 5246 traffic. You can use “ip forward-protocol udp 5246” for this. Here is the configuration option available with that command.
CAT4(config)#ip forward-protocol udp ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol
(500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
CAT4(config)#ip forward-protocol udp 5246
Here the debug output once we configure this command on CAT4. ( I had two l3 links from CAT4 to CAT2 & that’s why you would see these broadcast forwarded on those two different interfaces)
.May 3 06:29:18.420: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308 .May 3 06:29:21.406: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115 .May 3 06:29:38.284: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:29:38.284: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23 .May 3 06:29:48.225: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:29:48.225: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22 .May 3 06:29:58.165: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:29:58.165: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23 .May 3 06:30:03.677: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76 .May 3 06:30:08.097: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:30:08.097: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22
As you can see in the above, now UDP 5246 broadcast packets forwarded to 192.168.200.1. Why is this ? This is because you have configured “ip helper-address 192.168.200.1″ on vlan 121 interface in order to AP to get IP address from Microsoft DHCP server. In order to forward these UDP 5246 packets to WLC, you have to configure “IP helper-address ” command with WLC management IP. At the same time we will enable “debug capwap packet enable” on the WLC to see the registration information.(Again this debug will generate lots of output & you may having risk of crash/hang yourself on wlc)
CAT4(config)#interface Vlan121 CAT4(config-if)# ip helper-address 10.10.111.10 CAT4(config-if)#do sh logg | in 5246 .May 3 06:38:19.080: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23 .May 3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22 .May 3 06:40:28.710: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131 .May 3 06:40:28.710: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23 .May 3 06:40:28.718: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22
Here is the AP console output showing successful registration to WLC1
APccef.488c.fd41#renew dhcp g0
wmmAC status is FALSE
*May 3 06:38:19.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.111.11 peer_port: 5246
*May 3 06:38:19.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 3 06:38:19.430: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.111.11 peer_port: 5246
*May 3 06:38:19.434: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.111.11
*May 3 06:38:19.434: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 3 06:38:19.594: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 3 06:38:19.717: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*May 3 06:38:19.726: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 3 06:38:19.726: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*May 3 06:38:19.776: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1
*May 3 06:38:19.821: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
If you take a wireshark packet capture of the WAN link during this process you should be able to see the WLC discovery request goes to WLC1. Here is that output where you can see “Discovery type is 0” which indicate it is broadcast method in use. If it is any other value (1-Static, 2– OTAP, 3-DHCP option 43, 4-DNS) that indicate through which method AP learn about WLC.
You can find details of all discovery methods from this Cisco document (Cisco Doc 70333)
Lightweight AP (LAP) Registration to a WLC
Also this document may help you to troubleshoot LAP registration issues to a WLC. (Cisco Doc 99948)
Troubleshoot a Lightweight Access Point Not Joining a WLC
Other useful links # http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70333-lap-registration.html
