Router – How to control unwanted UDP traffic (Broadcast & Multicast) on Cisco Router 2911

broadcastmulticastrouterstorm-controludp

Please suggest, we are getting UDP traffic either broadcast or multicast in router 2911 which cause 95%+ utilisation of the router. And we got error in link and business impact due to this. Company has stock exchange business and nano sec downtime worries for us. Please suggest how to control unwanted traffic coming in to cisco router 2911?

Other surprising thing, servers communicated with through LAN network only but why Router CPU utilisation got increased? Sharing router configuration if you found some missing or over configuration which helps to understand better. Highly appreciate your suggestion.

Current configuration : 6715 bytes
!
! Last configuration change at 09:16:50 IST Fri Nov 2 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MUMBAI-NSE
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T4.bin
boot-end-marker
!
!
no logging on
!
no aaa new-model
clock timezone IST 5 30
!
no ipv6 cef
!
!
!
ip multicast-routing
!
!
ip flow-cache timeout active 1
ip cef
multilink bundle-name authenticated
!
no mpls ip
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL151912YC
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
ip ftp username itsdc
ip ftp password jhjytg
!
class-map match-all SQOS
 match access-group name sgx
class-map match-all qos2
 match access-group name file
class-map match-all other
 match access-group 121
class-map match-all qos
 match access-group 120
!
!
policy-map FILE
 class qos2
  bandwidth 800
policy-map BQOS
 class qos
  bandwidth 40000
  queue-limit 1000 packets
 class other
  bandwidth 5000
  queue-limit 10 packets
policy-map SQOS
 class SQOS
  priority level 1
 class other
  priority level 2
policy-map SGX
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description NSE-BSE
 ip address 172.16.18.2 255.255.255.252
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex auto
 speed 100
 service-policy output BQOS
!
interface GigabitEthernet0/1
 description NSE-GGN
 ip address 10.95.253.81 255.255.255.252
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex full
 speed auto
 service-policy output BQOS
!
interface GigabitEthernet0/2
 description LOCAL-LAN
 ip address 172.25.40.100 255.255.0.0
 ip access-group 101 in
 ip accounting output-packets
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip virtual-reassembly in
 ip route-cache same-interface
 ip route-cache policy
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description NSE-DGCX
 ip address 172.16.26.1 255.255.255.0
 ip access-group 130 in
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex auto
 speed auto
 service-policy output SQOS
!
interface FastEthernet0/1/0
 description NSE-MCX
 ip address 172.16.20.1 255.255.255.0
 ip ospf dead-interval minimal hello-multiplier 3
 duplex auto
 speed auto
!
interface FastEthernet0/1/1
 description NSE-SGX
 ip address 172.16.27.1 255.255.255.0
 ip ospf dead-interval minimal hello-multiplier 3
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 description NSE-CME
 ip address xx.xx.75.xx 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/2/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
router ospf 2
 network 10.95.253.81 0.0.0.0 area 0
 network 172.16.18.0 0.0.0.3 area 0
 network 172.16.20.0 0.0.0.3 area 0
 network 172.16.20.0 0.0.0.255 area 0
 network 172.16.23.0 0.0.0.3 area 0
 network 172.16.26.0 0.0.0.255 area 0
 network 172.16.27.0 0.0.0.255 area 0
 network 172.25.0.0 0.0.255.255 area 0
 network 192.168.16.0 0.0.0.255 area 0
 network 192.168.150.0 0.0.0.255 area 0
 maximum-paths 2
!
ip forward-protocol nd
!
ip pim rp-address 10.95.25.82
ip pim autorp listener
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export template timeout-rate 1
ip flow-export destination 191.191.191.52 9996
ip flow-top-talkers
 top 40
 sort-by bytes
 cache-timeout 20000
!
ip route xx.xx.7.0 255.255.255.252 172.16.2.2
ip route xx.xx.7.0 255.255.255.248 1.29.7.11
ip route 10.29.7.0 255.255.255.0 1.29.7.11
ip route 192.168.1.10 255.255.255.255 10.95.25.82
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.6.0 255.255.255.0 10.95.25.82
!
ip access-list extended file
 permit tcp any any eq 445
ip access-list extended other
 deny   udp any any eq 45000
 deny   udp any any eq 45002
 deny   udp any any eq 45003
 permit ip any any
ip access-list extended sgx
 permit udp any any eq 45000
 permit udp any any eq 45002
 permit udp any any eq 45003
 permit tcp any any eq 1801
!
no logging trap
access-list 101 deny   udp any any eq 9999
access-list 101 deny   udp any any eq 34074
access-list 101 deny   udp any any eq 34330
access-list 101 deny   udp any any eq 34586
access-list 101 deny   udp any any eq 5450
access-list 101 deny   udp any any eq 5440
access-list 101 deny   udp any any eq 45446 log
access-list 101 deny   udp any any eq 80 log
access-list 101 deny   udp any any eq 17742 log
access-list 101 deny   udp any any eq 50554 log
access-list 101 deny   udp any any eq 56955 log
access-list 101 permit ip any any
access-list 110 deny   tcp any any eq 3389
access-list 110 deny   tcp any any eq 445
access-list 110 permit ip any any
access-list 120 deny   ip host 172.25.45.21 any
access-list 120 deny   ip host 172.25.45.52 any
access-list 120 deny   ip host 172.25.45.18 any
access-list 120 deny   ip host 172.25.45.18 any
access-list 120 permit ip any any
access-list 120 deny   tcp any any log
access-list 120 deny   udp any any log
access-list 120 deny   ip host 172.25.45.3 any
access-list 121 deny   udp any any eq 45000
access-list 121 deny   udp any any eq 45002
access-list 121 deny   udp any any eq 45003
access-list 121 permit ip any any
access-list 121 permit ip host 172.25.45.5 any
access-list 121 permit ip host 172.25.45.21 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit udp any any
access-list 121 permit udp any any eq 45000
access-list 121 permit udp any any eq 45002
access-list 121 permit udp any any eq 45003
access-list 121 deny   udp any any log
access-list 121 deny   ip host 172.25.45.8 any
access-list 130 deny   udp any any eq 9999
access-list 130 deny   udp any any eq 34463
access-list 130 permit ip any any
access-list dynamic-extended
!
!
!
!
!
snmp-server community public RW
snmp-server ifindex persist
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input all
line vty 5 10
 login
 transport input all
!
scheduler allocate 20000 1000
end

Best Answer

Without looking at the packet-capture, network architecture etc. etc. it is a very hard question to answer. You can't really make a policy or anything that would drop frames (since they are routing at Layer 2 in the OSI model). However there are some things that could be going on:

Broadcast storm - There could be a switch that is uplinking to another switch that does not have STP enabled. This switch loop can cause broadcast packets to be re-transmitted down paths that have already seen the message.
LAN re-architecture (most probable) - This is a heavy stream oriented business. Having 4 /24s and a a /16 on the same router that interfaces with critical systems as an ISR (access router) is ill advised. I would recommend going with a more suited core router or a campus network design. This is the equivalent of getting a Honda Civic and wondering why you're loosing in a race with a Ferari. You are using an ISR router for something it isn't meant to do.

Related Solutions

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

Broadcast Radiation – How Does a Router Prevent Broadcast Radiation

But I do not understand how exactly routers resolves broadcast storm problem. Any explanation in detail?

When a router receives a packet, it gets inspected, then forwarded out the appropriate interface or it gets dropped. When a router receives a broadcast packet, it drops it (excluding directed-broadcasts, dhcp, etc).

When a switch receives a frame, it either forwards it on to a known interface or floods it out all of its ports if it doesn't know where to go. When a broadcast frame comes along, it get's flooded out all interfaces. Every machine in your segment sees it. Excessive amounts of these constitute a storm.

The most common way for a broadcast storm to happen is from a switching loop. If you somehow get a switching loop on your network, these broadcasts will perpetually send this data back and forth forever, or until you remove the loop. This will cause data to hit every machine on your segment. This can cause your network to stop.

When you have a router in between multiple layer 2 segments, each is inherently protected from the other. Remember, a router won't forward on broadcasts.

For instance:

+-----+    +------+    +-----+
|LAN 1|----|ROUTER|----|LAN 2|
+-----+    +------+    +-----+

LAN 1 can be all sorts of messed up, and LAN 2 will be none the wiser because ROUTER won't forward LAN 1 broadcast packets on to anyone.

Best Answer

Related Solutions

Vlan – Setting up PIM Sparse mode

Broadcast Radiation – How Does a Router Prevent Broadcast Radiation

Related Topic