There’s a few linksys router used by customers on our network that went crazy for some unexplained reason. It seems to be doing a packet storm on the network broadcasting as IP address 0.0.0.0. Now I’m dropping this on my boarder firewall which prevents it from spreading to the rest of my network but it doesn’t seem to help on my Canopy backbone. It basically gets so bad that it sometimes congest the backbone making it completely inaccessible. It’s also not a very easy thing to track and can take us sometimes up to an hour before we actually find the faulty routers. The only way I can see of stopping this completely is to add a Linux bridge between the AP and the backhaul dropping all traffic from 0.0.0.0 before it gets a chance of even entering our network but then I have another device on the backbone I need to worry about. The ideal solution would have been if Motorola would have given you the capability of adding an access list on the AP it self. Are there any other simpler solutions then the one I have? Any help would be greatly appreciated
Here’s an example I’ve recorded with tcpdump of the traffic that the routers are generating.
15:55:39.470415 00:14:6c:90:57:eb > Broadcast, ethertype IPv4 (0x0800), length 70: IP 0.0.0.0 > 10.0.1.178: icmp 36:
239.255.255.250 protocol 2 unreachable
Configure all your SMs to filter IPv4 Multicast. That did it for us. search around the forum, everybody has seen this problem at some point
Can it really be that simple :shock:
Oh, but it can!
Also filter:
- PPPoE (unless you are using it)
- SMB (Network Neighborhood)
- SNMP
- Bootp Client
- Bootp Server
dont block bootp client if you are using a dhcp network, as far as i know that would stop that.
Steph you will see that before each burst of ICMP traffic there is an IGMP request. this causes the ICMP replys. The source of the IGMP request is the offending client. you will have to be monitoring it before the icmp burst to find the IGMP request. This will help track it down much quicker.
I use Ethereal and I get the IGMP’s mac address then use the bridge tables on the AP to track it down to a site. depending on the number of sites/customers on the offending site it can take 5-10 minutes.
I have never been able to track it down to a certain brand of router. I havnt had an ICMP storm in about 3 months…/me knocks on wood. They single handedly have cost me the most money/customers.
Thanks a mill guys, this will help me allot.
can you use NAT on the SM’s ?