Under cli Add the following to your user-role for captive portal
max-sessions 50 Using the web you can select the user-role for your captive portal Look for Max Sessions tab and set to 50 Remember you may need to tweak this a bit depending on your particular page. Steveh From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Saturday, July 03, 2010 7:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Stephen, You are a wealth of information. How do you limit the bunber of sessions on a role? I know you can limit the bandwidth used, but that is not the same thing. Thanks, Bruce Osborne Liberty University ________________________________ From: Holland, Stephen [s.holl...@neu.edu] Sent: Friday, July 02, 2010 1:34 PM Subject: Re: blocking broadcast/multicast? Ryan, You are correct that we are running M3's today. However, when we originally used the filter it was with the Sup2 cards. We were getting unexplained CPU spikes and we could not determine why. One of the recommendations by Aruba was to create the following filter and apply to our secure and non-secure roles: ip access-list eth DenyIPv6 deny 0x86dd permit any If anybody is following this thread and wants to try this APPLY THE FILTER TO THE LOCAL CONTROLLERS AND MASTER FIRST....Then apply filter to the appropriate roles. If you don't do it in this order the controller will not associate the role with the filter correctly and it will not work. When we applied we saw CPU go down and not up but that was our experience. In regards to the CPU spikes we found users in the initial captive portal role who had 300 - 400 sessions open with the controller. When we blacklisted the user the CPU went back down. We never found out who the users were so we could not determine why they created so many sessions. We did however limit the number of sessions on the initial role to 50 (need enough sessions for DHCP, Portal and other things required to make the portal page operate) and the problem went away. Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: Wednesday, June 30, 2010 5:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Stephen, Ha! I'm assuming you're running the M3 supervisor cards. We're using SUP-IIs, and they get taxed easily. ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland....@osu.edu<mailto:holland....@osu.edu> On Jun 30, 2010, at 4:31 PM, Holland, Stephen wrote: Ryan, Believe it or not the filter does not dent the controller CPU in the least. Aruba was the one who recommended the filter to cut down CPU usage. All of our controllers running under 1% on all CPU's. BTW: I like the last name! We could be brothers........... Thanks Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: Wednesday, June 30, 2010 2:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Stephen, Blocking IPv6 via the policy enforcement firewall can add an incredible amount of processing on the controller, as each and every frame must be inspected. If you do not support v6 on wireless, it is much more efficient to just turn it off. You said "vlan pooling", so I assume you have Aruba. Issue the following: no ipv6 enable ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland....@osu.edu<mailto:holland....@osu.edu> On Jun 30, 2010, at 1:59 PM, Holland, Stephen wrote: We found that IPv6 broadcast traffic contributed significantly to our wireless broadcast traffic. Since we don't support IPv6 on the wireless network we blocked the ethertype for IPv6 on our wireless controllers. Also, running vlan pooling with /23's. On a different topic related to bcast/mcast. Our wireless controllers connect to a pair of 4948 switches which then connect to Cisco routers which provide the vlans for wireless users. We use HSRP for redundancy. We realized there is no need to send the mcast traffic for HSRP out to the vlans which support our wireless users. As long as the routers see each other's HSRP updates it does not make sense to forward them to the wireless network. We created a filter to block the HSRP updates on the 4948 switches and applied it in the outbound direction toward the wireless controllers. For some reason the filter did not work. Doing some testing we found the filter is working because it drops updates if we apply it in the inbound direction. Does anybody know the filter would not work in the outbound direction?. Thanks Stephen Holland Network Engineer Northeastern University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Marcelo Lew Sent: Wednesday, June 30, 2010 10:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Hi Bruce, looks like we have a very similar setup. I was thinking of doing what you described on the second paragraph of your reply. Marcelo Lew Wireless Network Specialist University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu<mailto:m...@du.edu> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Wednesday, June 30, 2010 5:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Marcelo, You need to be careful blocking broadcasts, or you may need to statically set ip addresses on all your clients. DHCP uses broadcast. We are an Aruba shop. On our normal data SSIDs we set "Drop Broadcast and Multicast" and "Convert Broadcast ARP requests to unicast" On our high speed (5GHz 802.11n only, 24mbit lowest transmit rate) we allow multicast to the students can watch IPTV video on wireless. To accomplish this, we have "Dynamic Multicast Optimization" enabled, which converts the multicast streams to unicast. Without "Dynamic Multicast" Optimization" multicast data is limited to the rate of the slowest 802.11 client. Blocking multicast is a good way to reduce unnecessary airtime. We use a VLAN pool of /23 networks to reduce the local broadcast domain for each client too. This helps reduce unnecessary traffic. Bruce Osborne Network Engineer Liberty University From: Marcelo Lew [mailto:m...@du.edu] Sent: Tuesday, June 29, 2010 1:10 PM Subject: blocking broadcast/multicast? Wondering how many of you are blocking broadcast/ multicast on the wifi network? If so, do you allow it on certain SSIDs? Do you get a lot of user complains about this? I would like to reduce unnecessary use of airtime, however, "unnecessary" can mean many different things depending who you ask... Marcelo Lew Wireless Network Specialist University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu<mailto:m...@du.edu> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ Not spam<about:blank> Forget previous vote<about:blank> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ Spam<https://antispam.osu.edu/b.php?i=1057754690&m=1c945ada071c&c=s> Not spam<https://antispam.osu.edu/b.php?i=1057754690&m=1c945ada071c&c=n> Forget previous vote<https://antispam.osu.edu/b.php?i=1057754690&m=1c945ada071c&c=f> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.