I have a couple cheap external wireless APs that like to reboot themselves constantly if they get even a few broadcast packets (i am ~90% certain this is the cause, after some testing with wireshark and cisco storm-control).
I have already replaced one of the APs with a super nice Cisco AP that works like a champ, but I can't replace the other one yet. For the time being, i need to reliably block ALL broadcast packets EXITING a single switchport (that the AP is connected to) on a Catalyst 2960-x
From what I understand, Cisco Storm-Control works on switch port ingress, and rather than 'throttling' based on the set threshold (% or pps), it just starts blocking packets until the packets drop below the threshold.
I also understand that 'switchport block unicast/multicast' works on switchport egress, and unfortunately there is no 'switchport block broadcast' command.
So far I have had some success if I use storm-control to completely block broadcast packets coming in on the uplink port, but of course this causes problems for anything on the uplink side trying to communicate with the devices connected to the switch, and also initial connectivity to the AP after a reboot (i have to temporarily turn off storm-control in order to re-connect to the AP web interface after the AP reboots, since my workstation is on the uplink side of the switch)
Any suggestions?
I thought perhaps just putting another small cisco switch in between the 2960-x and the AP, and setting IT to block all ingress broadcast packets on the uplink port via storm-control, but I am hoping there is another way.
Best Answer
If you have analysed the traffic already with wireshark you can probably create a L2 ACL outbound on the cisco switch. Be sure to not block ARP traffic (also Broadcast) else you will not be able to use IPv4!