Client Balancing Broadcast Flood

Solved
Voyage
Conversationalist

Client Balancing Broadcast Flood

Hello! Can anyone can assist me as to why our AP's are flooding our network with broadcast traffic over Client Balancing port 61111?

 

Over 985,000 a day in deny logs from our Forigate firewall. 192.168.10.x(AP's LAN IP) -> 255.255.255.255

 

The AP's are on a trunked VLAN.This issue has been going on for as long as we know, it was caught because we recently started using Splunk. We have experienced issues with client devices disconnecting somewhat randomly when signal strength is good.

 

I have disabled the feature as Reddit posts have recommended mostly against using the feature however I do know this was improved in MR29.x firmware.

 

Voyage_0-1697576869730.png

Voyage_1-1697576885673.png

 

 

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

The traffic is proportional to the amount of clients on the APs. The more clients you have the more 61111 traffic you'll see.

 

From a pcap they look to be 66 bytes in size. Pretty insignificant IMO. And as you mention limiting broadcast domain size is part of core networking fundamentals. There's not a single right and wrong answer/design for every deployment.

 

Just seeing blocks in a firewall log doesn't indicate a problem or mean something isn't working as it should. And if this is a high density network you can always disable client balancing altogether. It's off by default in newly created wireless networks/rf profiles.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

7 Replies 7
Ryan_Miles
Meraki Employee
Meraki Employee

https://documentation.meraki.com/MR/Other_Topics/Client_Balancing#Information_Exchange

 

Each AP has a local database that stores clients' metrics, both associated and not associated. This information is shared between each AP on the LAN via broadcast messages with an encrypted payload. Note that this message encryption is dynamically configured and secured by the Meraki cloud.

 

Note: Broadcast frames for this information use UDP port 61111 and are sent over the LAN infrastructure.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Voyage
Conversationalist

Hi Ryan,

Still seems like a heck of a lot of broadcast traffic for Cisco AP's to be sending out. The firewall rightly blocks it as the traffic isn't meant for it but the sheer amount of broadcast... something must be off. In your experience do the AP's send out this much 61111 broadcast traffic or do they identify the neighboring AP's in it's local DB and quiet down?

Edit: This is outside my current network knowledge unfortunately. I need to review how broadcast frames are sent from a device, in this case 192.168.10.23 when it's part of a trunk. If it sends broadcast to all VLAN's it has access to on the trunk or not... Because over 102 broadcast frames per minute from a single AP is not normal.

Ryan_Miles
Meraki Employee
Meraki Employee

The traffic is proportional to the amount of clients on the APs. The more clients you have the more 61111 traffic you'll see.

 

From a pcap they look to be 66 bytes in size. Pretty insignificant IMO. And as you mention limiting broadcast domain size is part of core networking fundamentals. There's not a single right and wrong answer/design for every deployment.

 

Just seeing blocks in a firewall log doesn't indicate a problem or mean something isn't working as it should. And if this is a high density network you can always disable client balancing altogether. It's off by default in newly created wireless networks/rf profiles.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Voyage
Conversationalist

Ryan, I sincerely appreciate you sharing your knowledge. My root issue is the Meraki AP's filling up our Splunk license allocation, my goal is to cut back on those deny logs. At present, I'll keep client balancing disabled. Maybe later I'll re-review this to see what other options I have to either prevent AP broadcast from reaching the firewall on port 61111 or auto deleting those logs from splunk. Thank you.

PhilipDAth
Kind of a big deal
Kind of a big deal

This would be a good use of multicast?

RaphaelL
Kind of a big deal
Kind of a big deal

If your APs are all under the same mgmt vlan ( which they probably should ) , then your multicast becomes a broadcast I would say

Voyage
Conversationalist

This is correct. Our AP's are on a MGMT VLAN

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels