This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Bcast/Mcast ICMP not allowed when configured as best practices

Bcast/Mcast ICMP not allowed when configured as best practices

Aviv_Kedem
Contributor

‎02-02-2020 09:47 AM

Hello community,

AP7532 versions: 5.9.1.4 - 5.9.3.3

Receiving many logs: %DATAPLANE-4-DOSATTACK: BAD_PACKET:  Bcast/Mcast ICMP not allowed

But I had disabled it in the firewall policy (from best practices) :

show running-config firewall-policy default include-factory | include broadcast-multicast-icmp

no ip dos broadcast-multicast-icmp

Why the messages are still appears ?

Thanks

Aviv

0 Kudos
6 REPLIES 6

Aviv_Kedem
Contributor

‎02-02-2020 10:48 AM

Hello Misha,

show running-config firewall-policy default include-factory from AP:

 no ip dos smurf
 no ip dos twinge
 no ip dos invalid-protocol
 no ip dos router-advt
 no ip dos router-solicit
 no ip dos option-route
 no ip dos ascend
 no ip dos chargen
 no ip dos fraggle
 no ip dos snork
 no ip dos ftp-bounce
 no ip dos tcp-intercept
 no ip dos broadcast-multicast-icmp
 no ip dos land
 no ip dos tcp-xmas-scan
 no ip dos tcp-null-scan
 no ip dos winnuke
 no ip dos tcp-fin-scan
 no ip dos udp-short-hdr
 no ip dos tcp-post-syn
 no ip dos tcphdrfrag
 no ip dos ip-ttl-zero
 no ip dos ipspoof
 no ip dos tcp-bad-sequence
 no ip dos tcp-sequence-past-window
 ip tcp validate-rst-seq-number
 ip tcp validate-rst-ack-number
 ip tcp validate-icmp-unreachable
 ip tcp recreate-flow-on-out-of-state-syn
 ip tcp optimize-unnecessary-resends
 ip dos tcp-max-incomplete high 500
 ip dos tcp-max-incomplete low 200
 no ip-mac conflict
 no ip-mac routing conflict
 flow timeout icmp 30
 flow timeout udp 30
 flow timeout tcp setup 10
 flow timeout tcp established 5400
 flow timeout tcp close-wait 10
 flow timeout tcp reset 10
 flow timeout tcp stateless-general 90
 flow timeout tcp stateless-fin-or-reset 10
 flow timeout other 30
 dhcp-offer-convert
 proxy-arp
 firewall enable
 ipv6 firewall enable
 no ipv6 rewrite-flow-label
 no ipv6 strict-ext-hdr-check 
 no ipv6 unknown-options 
 no ipv6 duplicate-options 
 no ipv6 option end-point-identification
 no ipv6 option router-alert
 no ipv6 option network-service-access-point
 no ipv6 option strict-hao-opt-check
 no ipv6 option strict-padding
 no ipv6 routing-type one
 no ipv6 routing-type two
 ipv6 dos multicast-icmpv6 log-and-drop log-level warnings 
 ipv6 dos hop-limit-zero log-and-drop log-level warnings 
 ipv6 dos tcp-intercept-mobility log-and-drop log-level warnings 
 acl-logging
 no stateful-packet-inspection-l2
 flow dhcp stateful
 alg ftp
 alg tftp
 no alg sip
 alg dns
 no alg facetime
 no alg sccp
 alg pptp
 no logging icmp-all
 no logging icmp-packet-drop
 no logging malformed-packet-drop
 no logging verbose
 ip tcp adjust-mss 1400
 clamp tcp-mss
 virtual-defragmentation
 no virtual-defragmentation minimum-first-fragment-length
 virtual-defragmentation maximum-fragments-per-datagram 140
 virtual-defragmentation maximum-defragmentation-per-host 8
 virtual-defragmentation timeout 1
 dns-snoop entry-timeout 1800
 no 802.2-encapsulation
 no vlan-stacking
 dns-snoop drop-on-parserror
 proxy-nd
 no ipv6-mac conflict
 no ipv6-mac routing conflict
 

Regards,

Aviv

0 Kudos

vanelm
Contributor

‎02-02-2020 10:14 AM

Hi Aviv, 

  Please check that

1. AP/profile using mentioned firewall-policy

2. Firewall is enabled

 

Regards,

  Misha

0 Kudos
GTM-P2G8KFN