anomaly-protection configuration issue

  • 0
  • 1
  • Question
  • Updated 4 years ago
Create Date: Apr 2 2013 2:26PM

For some time, at the edge of our network (or where we aggregate if we don't have Extreme at the edge) we've been running anomaly-protection, minus the l4port component (it tends to interfere with VoIP phones and printing from many clients, we've found.) After moving to XOS 15.3.1.4, however, disabling l4port doesn't seem to work anymore - the anomaly counters keep going up under l4, and the traffic doesn't pass. We're seeing this on X460s and X250s, has anyone else? The config is like so:

enable ip-security anomaly-protection
disable ip-security anomaly-protection l4port

For now, we've disabled anomaly-protection, as it's not critical to our security, just a nice thing to have. It would be nice to have it back though... is this a known issue? Bug?

(from Ansley_Barnes)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 5 2013 6:31PM

I confirm this issue on X460 XOS 15.3.1.4.

Regards.
--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 5 2013 7:44PM

Glad to know I'm not crazy! This worked in XOS 15.2.1.5, if I remember my versioning correctly. 

(from Ansley_Barnes)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 5 2013 8:24PM

Also important - the commands:

disable ip-security anomaly-protection
enable ip-security anomaly-protection ip
enable ip-security anomaly-protection tcp flags 
enable ip-security anomaly-protection tcp fragment 
enable ip-security anomaly-protection icmp

Also enables the l4 detection/drops, even though none of the above lines are supposed to do so.

Don't get me wrong, I know how wrong it is when source-port = destination-port, however, when your phone system and printers depend on this traffic it's kind of frowned upon to shut it off...

(from Ansley_Barnes)

This conversation is no longer open for comments or replies.