X480 bcast flood


Userlevel 6
Hi, all!

Have X480 as border.
Yesterday begin big bcast flood in local network.
Investigate show that it was scanning for local net from Internet, so IP addresses which wasn't in IP-ARP table was asked by X480 - ARP who is xx.xx.xx.xx in local. As there big local network, and a lot of IP-addresses wasn't active - X480 made big bcast flood.

As workaroung we can
- increase time of keeping arp in table

Any more ideas?

I receive advice - to make arp-passive mode (X480 transmit bcast arp query only when client from local net give arp query) - how I can configure this?

Thank you!

11 replies

Userlevel 3
Hi,

can you use static ARP ? For example you can check ip-security function like "learn ARP from DHCP".

--
Jarek
You can try access-list with the action "deny-cpu". Like this:
code:
 x460.3 # show policy CoPP Policies at Policy Server: Policy: CoPP entry arp {  if match all {      ethernet-type 0x806 ; } then {     permit  ; } } entry ssh {  if match all {      source-zone zone-mgm ;     protocol tcp ;     destination-port 22 ; } then {     permit  ; } entry bgp_src {  if match all {      source-zone zone-bgp ;     protocol tcp ;     source-port 179 ; } then {     permit  ; } ##########  [skip] ########## Other protocols entry deny_other {  if match all {  } then {     deny-cpu  ; } } 
code:
 x460 # show configuration | include CoPP configure access-list CoPP any ingress 
[/code]
Userlevel 6
I can't deny arp requests - because in my case swich work correct.
But in case when somebody scan my network, disconnected clients -> arp table in X480 haven't their MAC/IP records -> send a lot of bcast arp-who_is messages -> big load of network
Userlevel 3
You have customers that obtaining address via DHCP or use a static IP ?

--
Jarek
Userlevel 6
Via DHCP from external server, not switch dhcp.
Userlevel 3
They using dynamic IP addresses or static ?

Maybe you can use ip-security function.
When host get address via switch relay, switch creates a ip-security dhcp-snooping entries.
This can add a static arp also with ip-security arp learning learn-from-dhcp
Userlevel 6
Thank's for all!

I thnk it would be the best decision.
Userlevel 3
Check also an arp validation funcion and
you can add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment intentionally or not 🙂 (viruses, etc..)

--
Jarek
Userlevel 6
Jarek wrote:

Check also an arp validation funcion and
you can add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment intentionally or not 🙂 (viruses, etc..)

--
Jarek

Can you, please, tell me in details about " have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers"

Thank you!
Userlevel 3
Jarek wrote:

Check also an arp validation funcion and
you can add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment intentionally or not 🙂 (viruses, etc..)

--
Jarek

For example you have:

SW Core ==> 192.168.1.0/30 <== Distribution custom vlan lan1 IP 192.168.100.1/24 ==> to L2 switch

Network 192.168.1.0/24 is used for connection between distr. and core.

On distribution switch:
create meter ICMP_Limit
configure meter ICMP_Limit committed-rate 128 Kbps max-burst-size 32 Kb out-actions drop

ACL for ingress vlan lan1.pol

entry toCore_ICMP { if { destination-address 192.168.1.0/24;

} then {

permit;

meter ICMP_Limit;

}}

entry toGW_Lan1_ICMP { if match all { destination-address 192.168.100.1/32 ;

protocol icmp;

} then {

permit ;

meter ICMP_Limit;

} }


You can also deny udp and tcp to this address from customer vlan.

--
Jarek
Userlevel 6
Jarek wrote:

Check also an arp validation funcion and
you can add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment intentionally or not 🙂 (viruses, etc..)

--
Jarek

Thank you!

Reply