Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
5
Helpful
2
Replies

Cisco Embedded Wireless Controller 9800 flood vrrp

Go to solution
Ingénierie RCI
Level 1
Level 1

‎07-02-2023 11:54 PM

Hi everyone,

First of all it's my first post in the forum and i don't know if i post on the right place, moreover english isn't my mother tongue and i apologize in advance for any language errors.

To expose my problem :

I have client with an embedded wireless controller c9800 on a 9120AXI accesspoint, and many Alcatel switch in his LAN. Whne i check the logs of the switchs, i see those messages :

 

 

2023 Jun 30 10:38:19.230 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:38:19.246 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:38:20.231 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:38:52.230 SW17_Mecanique swlogd ^^ repeated 10 times
2023 Jun 30 10:38:52.231 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:38:52.247 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:38:53.232 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:39:22.234 SW17_Mecanique swlogd ^^ repeated 9 times
2023 Jun 30 10:39:22.234 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:39:22.249 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:39:23.235 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:39:55.234 SW17_Mecanique swlogd ^^ repeated 10 times
2023 Jun 30 10:39:55.235 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:39:55.256 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:39:56.235 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:40:25.235 SW17_Mecanique swlogd ^^ repeated 9 times
2023 Jun 30 10:40:25.235 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:40:25.250 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:40:26.235 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:40:58.235 SW17_Mecanique swlogd ^^ repeated 10 times
2023 Jun 30 10:40:58.235 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:40:58.251 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:40:59.236 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:41:10.515 SW17_Mecanique sshd[10558] error: Unable to load host key "/etc/ssh/ssh_host_rsa_key": invalid format
2023 Jun 30 10:41:10.515 SW17_Mecanique sshd[10558] error: Unable to load host key: /etc/ssh/ssh_host_rsa_key
2023 Jun 30 10:41:20.297 SW17_Mecanique swlogd ^^ repeated 7 times
2023 Jun 30 10:41:20.297 SW17_Mecanique swlogd SES AAA INFO: Login by admin from 192.168.5.42 through SSH Failed [in LoginAaaSession::handleLoginResult()]
2023 Jun 30 10:41:20.298 SW17_Mecanique swlogd SES MIP EVENT: CUSTLOG CMM Authentication failure detected: user admin
2023 Jun 30 10:41:22.522 SW17_Mecanique swlogd SES AAA INFO: Login by admin from 192.168.5.42 through SSH Success [in LoginAaaSession::handleLoginResult()]
2023 Jun 30 10:41:22.538 SW17_Mecanique sshd[10558] Received keyboard-interactive/pam for admin from 192.168.5.42 port 58947 ssh2
2023 Jun 30 10:41:23.236 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2023 Jun 30 10:41:31.235 SW17_Mecanique swlogd ^^ repeated 2 times
2023 Jun 30 10:41:31.235 SW17_Mecanique swlogd ipni dos WARN: VRF 0: DoS type invalid ip from 0.0.0.0/08:45:d1:e9:08:54 on port 1/1/49
2023 Jun 30 10:41:31.250 SW17_Mecanique swlogd ipni dos WARN: to 224.0.0.18/01:00:5e:00:00:12.
2023 Jun 30 10:41:32.236 SW17_Mecanique swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>

 

 

Those can be found on all the switchs on the lan, and without interruption. The mac 08:45:d1:e9:08:54 is the address of the access point which is the actual master controller. If the master controller change, the mac address change also. My point is that this flooding is coming from the controller, i think.

The logs show taht the destination of those packets is 224.0.0.18, which is the multicast address for vrrp.


My questions : is this all normal ? EWC 9800 use vrrp ? Why the source of the request is 0.0.0.0 ? Why the controller flood the request so much so that it causes switchs stress ? Can i disable it ?

I try to find those answers on google, but no success . . .

If somebody have some clues, it would be great !


Thanks in advance for the answers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎07-03-2023 12:28 AM

 

                               >... EWC 9800 use vrrp ?
    EWC 9800  uses vrrp as a redundancy / failover mechanism if more then one EWC ap is being used ; I tend to believe the logging message on the Alcatel switch can be ignored :
           - Checkout  this command on the alcatel switch : show ip dos statistics

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

2 Replies 2

Go to solution
marce1000
VIP
VIP

‎07-03-2023 12:28 AM

 

                               >... EWC 9800 use vrrp ?
    EWC 9800  uses vrrp as a redundancy / failover mechanism if more then one EWC ap is being used ; I tend to believe the logging message on the Alcatel switch can be ignored :
           - Checkout  this command on the alcatel switch : show ip dos statistics

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Ingénierie RCI
Level 1
Level 1

‎07-04-2023 12:16 AM

hi,

Thanks a lot for the quick answer ! 

I tend to believe the logging message on the Alcatel switch can be ignored :

Yes that's what i thought. Just for the record, the command that i used on my Alcatel switchs :

-> ip dos type invalid-ip admin-state disable   

So, my logs are not full anymore and no more stress on the switchs.

Thanks again for your time

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card