| Attachment | Size |
|---|---|
 CMTS_ARA.JPG | 49.56 KB |
| CMTS_SJO.JPG | 39.35 KB |
| CMTS_TUB.JPG | 40.44 KB |
Hi there
that Sunday there was a very strange event. out of nowhere the CPU consumption of 3 different CMTS in 3 different cities increased by around 15%. any idea or has anyone been there?
perhaps check the output of "show proc cpu sort"
how it came to a halt this morning. I don’t know, maybe some external scanning of the ip´s of our AS or something like that. if it happens again I will collect more data.
thank you.
I managed to get more data when the CPU increased. I took the logging and found that some arp spoof problem starts. my bundle settings are from the attached file. any recommendations?
thank you.
1/ On the bundle I would also add
"ip verify unicast reverse-path"
It wont help with this particular issue, but it is a good way to block junk traffic coming in from customers
2/ For this issue, contact the customer and get them to turn proxy-arp off on their router.
They wont be doing it on purpose, it will almost certainly be an accidental thing.
3/ I see you are using "cable source-verify dhcp". Normally that command would be paired up with "no cable arp".
You might want to do some more reading on that topic.
If you do "show arp", do you see tons of IPs with that same MAC ?
OK! from what I saw are only 2 ip. one from cpe and the other from cable modem, the mac that appears in both is MAC = 0000.0002.0202. I will request a technical visit on the spot to check. thank you for the tips.
I'd like to add something to point 3/:
this whole ARP related security configuration should look like this:
ip verify unicast reverse-path
cable source-verify dhcp
no cable arp
ip local-proxy-arp
no cable proxy-arp
The command
ip local-proxy-arpmakes the CMTS lie to the customer about his neighbors routers MAC-adress.This helps to prevent stealing the MAC-address of your neighbors router.