Solved

Multicast traffic from cisco 6513

Posted on 2007-03-26
6
1,565 Views
Last Modified: 2010-08-05
I am seeing traiffic from our Cat 6500 to a multicast address, is this normal?  The following is being reported by our security vendor:

Event ID  81230  
Time  12:01AM CDT Mar 19 2007  
Type  network traffic anomaly  
Priority  advisory  
Classification  security  
Event Type Description  Abnormal network traffic was detected.  
Data Source  somecity-ids.doggone.com  
Source(s)  IP Address: 172.16.0.1
 
Destination(s)  IP Address: 224.0.0.13
 
Description  Abnormal network traffic was detected.  

IDS Signature Details:
SID: 2189.1
Msg: BAD-TRAFFIC IP Proto 103 PIM

Packet dump for data store ID 695834834 follows:
00:01:57.000085 172.16.0.1 > 224.0.0.13: pim v2 Hello (Hold-time 1m45s) (Genid: 0x00000193) (DR-Priority: 1) (State Refresh Capable; v1) [tos 0xc0]  [ttl 1] (id 15067, len 54)
0x0000       45c0 0036 3adb 0000 0167 f1a7 ac10 0001      E..6:....g......
0x0010       e000 000d 2000 dcb7 0001 0002 0069 0014      .............i..
0x0020       0004 0000 0193 0013 0004 0000 0001 0015      ................
0x0030       0004 0100 0000                               ......

Any light shed on this will be greatly appreciated.
0
Comment
Question by:2PiFL
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
224.0.0.13 is a destination address for PIM (protocol-independent multicast) which is a protocol which manages multicast traffic.

Addresses in the 224.0.0.0/24 range are not routable, they have a time to live of 1 hop, which means they can only live on the local network. It's basically looking for other connected multicast routers.

I'd have to see your config to know for sure why it's happening, but you probably have the line "ip pim" in your global config. If you're not using multicast, just configure with "no ip pim" to turn it off.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Sorry, no ip pim isn't it. If you're not using multicast, post your config, minus passwords and IP addresses, and I'll tell you what to remove. If you are using it, does it need to be configured on that interface? You can look at the interface and see if any multicast configuration is there.
0
 
LVL 16

Author Comment

by:2PiFL
Comment Utility
Here's the config minus the switchports:

DMCMDF-6513-1#sho conf
Using 68707 out of 1964024 bytes
!
! Last configuration change at 10:36:24 CDT Tue Mar 20 2007 by dorner
! NVRAM config last updated at 10:36:45 CDT Tue Mar 20 2007 by dorner
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service counters max age 10
!
hostname fishlip-6513-1
!
boot system flash disk0:
logging buffered 16000 debugging
no logging console
enable secret
!
username
aaa new-model
aaa authentication login aaa-login local enable
aaa authentication login aaa-none none
aaa authorization exec aaa-auth local none
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
no ip source-route
!
!
!
ip multicast-routing
ip tcp synwait-time 5
ip ssh time-out 29
ip ssh authentication-retries 2
no ip domain-lookup
ip host mars xxx.xxx.xxx.xxx
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
!
!
!
!
!
!
!
!
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1-999 priority 4096
spanning-tree vlan 1000-1005 priority 24576
error-detection packet-buffer action none
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
port-channel per-module load-balance
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Loopback0
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Loopback1
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip pim sparse-dense-mode
!
interface Null0
 no ip unreachables
!
interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 21
 switchport trunk allowed vlan 21,900,903
 switchport mode trunk
 no ip address
!
interface Group-Async1
 physical-layer async
 no ip address
 encapsulation slip
!
interface Group-Async2
 physical-layer async
 no ip address
 encapsulation slip
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Vlan11
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip pim sparse-dense-mode
!
interface Vlan20
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip pim sparse-dense-mode
 ip route-cache flow
!        
interface Vlan21
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip helper-address xxx.xxx.xxx.xxx
 ip pim sparse-dense-mode
!
interface Vlan220
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Vlan900
 description
 no ip address
 shutdown
!
interface Vlan901
 description
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip pim sparse-dense-mode
!
router eigrp 10
 redistribute static
 network xxx.xxx.xxx.xxx
 network xxx.xxx.xxx.xxx
 no auto-summary
!
ip classless
ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
ip flow-export version 5
ip flow-export destination xxx.xxx.xxx.xxx 2055
no ip http server
ip pim rp-address xxx.xxx.xxx.xxx
ip pim send-rp-announce Loopback1 scope 16
ip pim send-rp-discovery Loopback1 scope 16
!
logging trap debugging
logging source-interface Loopback0
logging xxx.xxx.xxx.xxx
access-list 10 remark SNMP Access-list for controlling what can access SNMP
access-list 10 deny   xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
snmp-server community xxxxxxxx RO 10
snmp-server ifindex persist
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps chassis
snmp-server enable traps module
snmp-server enable traps transceiver all
snmp-server enable traps bgp
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps casa
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dlsw
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps MAC-Notification move threshold
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps rf
snmp-server enable traps rtr
snmp-server enable traps slb real virtual csrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps sonet
snmp-server enable traps dial
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps rsvp
snmp-server enable traps csg agent quota database
snmp-server enable traps srp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps c6kxbar swbus
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls ldp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps alarms
snmp-server enable traps vlan-mac-limit
snmp-server enable traps voice poor-qov
snmp-server enable traps mpls vpn
snmp-server host xxx.xxx.xxx.xxx
!
radius-server source-ports 1645-1646
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
banner motd ^C
**********************************************************************
WARNING: This system is for the use of authorized clients only!
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel.  To protect the computer network system from
unauthorized use and to ensure the computer network systems is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officials.

Access is restricted to authorized users only. Unauthorized access is
a violation of stvil and criminal laws.
**********************************************************************
^C
!
line con 0
 location DMCMDF-6513-1-CON0
 exec-timeout 0 0
 logging synchronous
 login authentication aaa-none
line vty 0 4
 location DMCMDF-6513-1-VTY
 exec-timeout 30 0
 authorization exec aaa-auth
 logging synchronous
 login authentication aaa-login
line vty 5 15
 exec-timeout 30 0
 authorization exec aaa-auth
 login authentication aaa-login
!
!
monitor session 1 source vlan 20 - 21
monitor session 1 destination interface Gi12/1
monitor session 2 source vlan 20 , 902
monitor session 2 destination interface Fa10/4
scheduler runtime netinput 300
ntp clock-period 17179978
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx prefer
no cns aaa enable
end
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Well, you definitely have multicast configured. Only you know if it's required or not. At the very least, is it needed on whichever vlan has 172.16.0.1 ? If so, just make a rule on your security device to ignore that multicast traffic. I not, type "no ip pim sparse-dense-mode" on the appropriate vlan interface.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
Comment Utility
Well, you definitely have multicast configured. Only you know if it's required or not. At the very least, is it needed on whichever vlan has 172.16.0.1 ? If so, just make a rule on your security device to ignore that multicast traffic. I not, type "no ip pim sparse-dense-mode" on the appropriate vlan interface.
0
 
LVL 16

Author Comment

by:2PiFL
Comment Utility
Thank you!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now