Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How to block an ICMP storm or ping flood generated by wireless clients

0

0

Article ID: KB31814 KB Last Updated: 26 Sep 2017Version: 1.0
Summary:

This article explains how to configure and apply an IPv4 ACL to block ICMP traffic generated by wireless clients, which may cause harm or denial of service.

Symptoms:

ICMP traffic causes WLA reboots or WLC crash and reboots.

Cause:
ICMP flood resulting in WLC CPU spike and crash.
Solution:

When you notice ICMP storm generated by clients from your own wireless network then we can configure an ACL and map it to the Service Profile on which we see the wireless clients. This ACL will allow you to block ICMP traffic even when Local-Switching is enabled as we are mapping these filters on the Service Profile Configuration.

From the CLI of the WLC

1. Create an ACL to block all ICMP traffic generated from any host toward any destination. ​

#set security acl name block-ICMP deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
#set security acl name block-ICMP permit 0.0.0.0 255.255.255.255
#commit security acl block-ICMP

2. Map the ACL to Service Profile on both directions(i.e., ingress and egress):

#set service-profile test attr filter-id block-ICMP.out
#set service-profile test attr filter-id block-ICMP.in
By mapping the ACL to a Service Profile, we force client traffic associated to that specific Service Profile (in above example, "test") to go through the ACL (in above example "block-ICMP") throughout their association with the WLC.

Verification

To verify if the ACL is applied on an active session on a particular WLA, use the following command:

#​ ​show ap acl map 250            (where 250 is the WLA number)
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search