Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1467
Views
0
Helpful
3
Replies

ICMP Flooding caused by SG500

Go to solution
TheDan27
Level 1
Level 1

‎03-26-2015 02:20 AM

Hello Everyone,

 

Yesterday i installed a Cisco SG500-28 als L3 routing switch in our "Core".

Today every client with this switch as default gateway gets an "ICMP Flooding Attack" message in our ESET Business Security Firewall.

Is there any setting which i can change on the switch to suppress this message?

 

Thanks in advance!

 

Best regards,

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kristof Meyer
Level 1
Level 1

‎03-27-2015 06:59 AM

Hi,

could it be possible that the ICMP flood reported by your client based IPS consists of "ICMP Redirect" Messages (Type 5)?

These are normally sent by routers or switch virtual interfaces when the routing engine logic finds that another router in the same subnet of the receiving interface is a better router for the clients.

Depending on the amount of traffic inbound this can cause some load on the switches CPU, at least on Catalyst series the redirects are send by the CPU and not the ASICs.

 

On IOS this behavior can be disabled with the "no ip redirects" command, something I would like to see on Small Business L3 switches too (Together with multiple IPs per SVI...)

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Brian Ng
Level 1
Level 1

‎03-26-2015 06:58 PM

Hi Dan,

 

There are no settings on the switch that can suppress ICMP flooding attack messages as I have looked through the switch. The switch does not block pings. You can try to do a packet capture on the switch to see what IP address is flooding the switch and see if the issue still occurs once you have found the source IP address that is flooding it.

 

I hope that was helpful.

0 Helpful

Go to solution
Kristof Meyer
Level 1
Level 1

‎03-27-2015 06:59 AM

Hi,

could it be possible that the ICMP flood reported by your client based IPS consists of "ICMP Redirect" Messages (Type 5)?

These are normally sent by routers or switch virtual interfaces when the routing engine logic finds that another router in the same subnet of the receiving interface is a better router for the clients.

Depending on the amount of traffic inbound this can cause some load on the switches CPU, at least on Catalyst series the redirects are send by the CPU and not the ASICs.

 

On IOS this behavior can be disabled with the "no ip redirects" command, something I would like to see on Small Business L3 switches too (Together with multiple IPs per SVI...)

 

0 Helpful

Go to solution
TheDan27
Level 1
Level 1
In response to Kristof Meyer

‎11-06-2015 01:34 AM

Hi Kristof and Brian,

Sorry for my late response but these were indeed "ICMP Redirect" messages.

I made an exeption in the Eset Firewall and the messages went away.

Unfortunately i believe there is no way to disable ICMP redirects in the small business series.

Kind regards,

Dan

0 Helpful
Customers Also Viewed These Support Documents