X480 bcast flood

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi, all!

Have X480 as border.
Yesterday begin big bcast flood in local network.
Investigate show that it was scanning for local net from Internet, so IP addresses which wasn't in IP-ARP table was asked by X480 - ARP who is xx.xx.xx.xx in local. As there big local network, and a lot of IP-addresses wasn't active - X480 made big bcast flood.

As workaroung we can 
- increase time of keeping arp in table

Any more ideas?

I receive advice - to make arp-passive mode (X480 transmit bcast arp query only when client from local net give arp query) - how I can configure this?

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

can you use static ARP ? For example you can check ip-security function like "learn ARP from DHCP".


--
Jarek
Photo of Sergey Okun

Sergey Okun

  • 60 Points
You can try access-list with the action "deny-cpu". Like this:

x460.3 # show policy CoPP
Policies at Policy Server:
Policy: CoPP
entry arp { 
if match all { 
    ethernet-type 0x806 ;
}
then {
    permit  ;
}
}
entry ssh { 
if match all { 
    source-zone zone-mgm ;
    protocol tcp ;
    destination-port 22 ;
}
then {
    permit  ;
}
entry bgp_src { 
if match all { 
    source-zone zone-bgp ;
    protocol tcp ;
    source-port 179 ;
}
then {
    permit  ;
}
##########  [SKIP]
########## Other protocols
entry deny_other { 
if match all { 
}
then {
    deny-cpu  ;
}
}



x460 # show configuration | include CoPP
configure access-list CoPP any ingress
(Edited)
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
I can't deny arp requests - because in my case swich work correct.
But in case when somebody scan my network, disconnected clients -> arp table in X480 haven't their MAC/IP records -> send a lot of bcast arp-who_is messages -> big load of network
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
You have customers that  obtaining address via DHCP or use a static IP ?

--
Jarek
(Edited)
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
Via DHCP from external server, not switch dhcp.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
They using dynamic IP addresses or static ?

Maybe you can use ip-security function.
When host get address via switch relay, switch creates a  ip-security dhcp-snooping entries.
This can add a static arp also with ip-security arp learning learn-from-dhcp
(Edited)
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
Thank's for all!

I thnk it would be the best decision.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Check also an arp validation funcion and
you can  add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan  acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment  intentionally or not :) (viruses, etc..)

--
Jarek
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
Can you, please, tell me in details about " have also in my ingress vlan  acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers"

Thank you!
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
For example you have:

SW Core ==> 192.168.1.0/30 <== Distribution custom vlan  lan1 IP 192.168.100.1/24 ==> to L2 switch

Network 192.168.1.0/24 is used for connection between distr. and core.

On distribution switch:
create meter ICMP_Limit
configure meter ICMP_Limit committed-rate 128 Kbps max-burst-size 32 Kb out-actions drop

ACL for ingress vlan lan1.pol

entry toCore_ICMP { if {

destination-address 192.168.1.0/24;

} then {

permit;

meter ICMP_Limit;

}}

entry toGW_Lan1_ICMP { if match all {

destination-address 192.168.100.1/32 ;

protocol icmp;

} then {

permit ;

meter ICMP_Limit;

} }


You can also deny udp and tcp to this address from customer vlan.

--
Jarek
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
Thank you!