I really recommend using a big block of private IP addresses and NAT them (I am on a 10.x.x.x /17 right now) - this allows you to have really big subnets where needed, with reasonable DHCP lease times. DHCP goes through to our BlueCat servers. One can then arrange to have enough public IP addresses tied in your NAT service to support the numbers of clients...
If your router can't cope with the ARP traffic (which for a /17 is roughly 5 packets per second assuming a default 4 hour ARP timeout) then it's going to be easy to take down with a single misbehaving client... Richard Letts Director, Networking and Telecommunications ITaP Infrastructure Services Purdue University [email protected]<mailto:[email protected]> O: 765-496-1663 C: 206-790-5837 From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Glinsky, Eric Sent: Wednesday, August 28, 2019 3:36 PM To: [email protected] Subject: [WIRELESS-LAN] WLC interface groups? This question is for large universities with WLCs that tunnel traffic through a controller. Do you use a single interface (VLAN) for, say, 30k clients, or do you use two or more interfaces in an interface group, and why? Do you use DHCP proxy? Is there any documentation or generally-accepted rules of thumb on this? Historically, on all three Cisco 8540 pairs, we had a core interface and an interface for res halls, and depending on the AP's location (6k APs) our branded SSID would map clients to one interface or the other. All our wireless clients have public IPs, and we've faced issues running out. Throughout the day, we'd see the majority of clients move from the res hall network to the core network, and vice versa at night. At one point, we merged both the interfaces in an interface group to utilize all IPs at all times. However, the way it's currently set up, there are more IPs available in the core interface than in the res hall interface. We are considering these options on how to move forward with or without the interface group: 1. Consolidating down to one interface. More efficient use of IP space, clients wouldn't change IPs as often. Could probably increase lease time to 1 hour, but what about broadcast and ARP traffic for all 30k addresses in the VLAN at the router - understanding that client device broadcast traffic doesn't leave the controller except DHCP (we do not use DHCP proxy in the controllers). 2. Staying with the group of two interfaces and balancing the IP space between them. Avoids wasted IPs, depending how intelligent the 8540s are at distributing clients between all interfaces in the group. 3. Splitting out to more interfaces. We'd cut down on broadcast traffic but we'd be liable to have one client taking up three or more addresses between all the interfaces for up to the 30-minute lease time we have, and a client would change IPs more throughout the day as it re-associates and gets put in a different interface. Interestingly, a consultant we're working with hasn't seen a single customer besides us use interface groups. Eric Glinsky Network Technician University of Connecticut ITS - Network Operations Temporary Administration Building 25 Gampel Service Drive | Storrs, CT 06269-1138 (860) 486-9199 [email protected]<mailto:[email protected]> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
