topic X480 bcast flood in ExtremeSwitching (EXOS/Switch Engine)

X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 17:15:00 GMT

Hi, all!

Have X480 as border.
Yesterday begin big bcast flood in local network.
Investigate show that it was scanning for local net from Internet, so IP addresses which wasn't in IP-ARP table was asked by X480 - ARP who is xx.xx.xx.xx in local. As there big local network, and a lot of IP-addresses wasn't active - X480 made big bcast flood.

As workaroung we can
- increase time of keeping arp in table

Any more ideas?

I receive advice - to make arp-passive mode (X480 transmit bcast arp query only when client from local net give arp query) - how I can configure this?

Thank you!

RE: X480 bcast flood

Jarek — Wed, 02 Dec 2015 18:56:00 GMT

Hi,

can you use static ARP ? For example you can check ip-security function like "learn ARP from DHCP".

--
Jarek

RE: X480 bcast flood

Sergey_Okun — Wed, 02 Dec 2015 19:38:00 GMT

You can try access-list with the action "deny-cpu". Like this:

code:

 x460.3 # show policy CoPP Policies at Policy Server: Policy: CoPP entry arp {  if match all {      ethernet-type 0x806 ; } then {     permit  ; } } entry ssh {  if match all {      source-zone zone-mgm ;     protocol tcp ;     destination-port 22 ; } then {     permit  ; } entry bgp_src {  if match all {      source-zone zone-bgp ;     protocol tcp ;     source-port 179 ; } then {     permit  ; } ##########  [skip] ########## Other protocols entry deny_other {  if match all {  } then {     deny-cpu  ; } }

code:

 x460 # show configuration | include CoPP configure access-list CoPP any ingress

RE: X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 19:43:00 GMT

I can't deny arp requests - because in my case swich work correct.
But in case when somebody scan my network, disconnected clients -> arp table in X480 haven't their MAC/IP records -> send a lot of bcast arp-who_is messages -> big load of network

RE: X480 bcast flood

Jarek — Wed, 02 Dec 2015 19:55:00 GMT

You have customers that obtaining address via DHCP or use a static IP ?

--
Jarek

RE: X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 20:04:00 GMT

Via DHCP from external server, not switch dhcp.

RE: X480 bcast flood

Jarek — Wed, 02 Dec 2015 20:11:00 GMT

They using dynamic IP addresses or static ?

Maybe you can use ip-security function.
When host get address via switch relay, switch creates a ip-security dhcp-snooping entries.
This can add a static arp also with ip-security arp learning learn-from-dhcp

RE: X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 20:26:00 GMT

Thank's for all!

I thnk it would be the best decision.

RE: X480 bcast flood

Jarek — Wed, 02 Dec 2015 20:36:00 GMT

Check also an arp validation funcion and
you can add an ACL on vlan ingress to filter junk packets/frames.

I have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers,
because sometimes customers try to kill your equipment intentionally or not  (viruses, etc..)

--
Jarek

RE: X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 20:36:00 GMT

Can you, please, tell me in details about " have also in my ingress vlan acl meter to rate-limit packets to switch IP address and IP's on core+distribution used for connection between switches/routers"

Thank you!

RE: X480 bcast flood

Jarek — Wed, 02 Dec 2015 20:36:00 GMT

For example you have:

SW Core ==> 192.168.1.0/30 <== Distribution custom vlan lan1 IP 192.168.100.1/24 ==> to L2 switch

Network 192.168.1.0/24 is used for connection between distr. and core.

On distribution switch:
create meter ICMP_Limit
configure meter ICMP_Limit committed-rate 128 Kbps max-burst-size 32 Kb out-actions drop

ACL for ingress vlan lan1.pol

entry toCore_ICMP { if { destination-address 192.168.1.0/24;

} then {

permit;

meter ICMP_Limit;

}}

entry toGW_Lan1_ICMP { if match all { destination-address 192.168.100.1/32 ;

protocol icmp;

} then {

permit ;

meter ICMP_Limit;

} }

You can also deny udp and tcp to this address from customer vlan.

--
Jarek

RE: X480 bcast flood

Alexandr_P — Wed, 02 Dec 2015 20:36:00 GMT

Thank you!