cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ccastbr
Level 11
Report Inappropriate Content
Message 1 of 10

RSD flooding network .0 address with traffic

Jump to solution

We have received complaints that the RSD systems we have are flooding the switches with packages at the .0 address.          Is there a way to configure the RSD to avoid that address?

 

1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

I doubt is as that is just excluding the switch itself.  .0 addresses are not a valid system or switch IP, as that is a network address.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

9 Replies
ccastbr
Level 11
Report Inappropriate Content
Message 2 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

I think I may have answered my own question.   With the 5.x sensors, the exclusion portion of the RSD policy has moved to the Server Settings.     I believe in the Rogue Detection Sensor settings we can add in  a list of all the x.x.x.0 addresses.    

ccastbr
Level 11
Report Inappropriate Content
Message 3 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

So here is a secondary question:

If the MAC ID of the switches are included in the exclusion, will that stop the flood of traffic to x.x.x.0, will the addresses also need to be entered?

 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

I doubt is as that is just excluding the switch itself.  .0 addresses are not a valid system or switch IP, as that is a network address.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

ccastbr
Level 11
Report Inappropriate Content
Message 5 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

Follow up to this thread

I entered all x.x.x.0 addresses into the list of addresses to exclude from RSD, however, we still see the RSD systems hitting x.x.x.0 about once an hour.       I am not seeing information in the RSD guide about broadcast or the hourly hit to .0.

Looking at the switch log, the only systems hitting that address are the v5.0.6 RSD sensors.   I am still seeking a way to eliminate that traffic, or explain to the network people what this traffic is for.

 

ccastbr
Level 11
Report Inappropriate Content
Message 6 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

Some additional information - 

All of the messages at the router are Cisco "ARP-4-INVAL_IP" with the explanation below.

Error Message ARP-4-INVAL_IP: Received packet with invalid %s IP address (%s) from %s on %s

Explanation There may be a connected router sending packets with a bogus IP address.

In this case, the invalid address is the x.x.x.0 and the from is RSD sensor on VlanXXX.    

 

dfirstbr
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

Hi ccastbr

Mmmm... Out of curiosity go to the RSD policy--> 'Detection' tab and head to the bottom of the page. Under 'Sensor Scanning' uncheck those 2 DNS options and save. What happens?

-dene

 

 
 

 

 

 

 

ccastbr
Level 11
Report Inappropriate Content
Message 8 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

Thank you for the suggestion.  I only had the "Use DNS queries for DNS Name resolution" checked, but just unchecked it.  It may take a while, but I have requested the switch log to be looked at again.     I will post the result here.

 

ccastbr
Level 11
Report Inappropriate Content
Message 9 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

I unchecked DNS queries, but no change at the switch.      

 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: RSD flooding network .0 address with traffic

Jump to solution

Please open a ticket with McAfee then so we can look at more detailed logs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community