Hello,
I'm an AV Integrator and am not new to networking. I have a customer system where our AV system is connected to a router directly off of the ISP (Comcast) modem (bridge mode on). The system consist of an Araknis router, several Araknis APs, an a Luxul switch. I know... I'm not a fan of these brands either but that's what the sales engineer sold.
The system has been working flawlessly for months and just a couple weeks ago, they've been experiencing Internet issues. To no one's surprise, rebooting the switch or router seems to correct things for some time.
In troubleshooting, I could not pinpoint any reasons for Internet to be dropping out. In fact, sometimes, Internet stops working only on one VLAN but not another, though we're probably getting reports about WiFi and not wired VLANs. My suspicion is that this flooding is causing WiFi to slow to a crawl, but it isn't severe enough to disrupt the wired clients.
I fired up Wireshark and the only unusual activity is a bunch of ARP requests originating from a MAC address that is not the router, but pinging every IP address in a VLAN. I've looked for this MAC in the switch MAC tables and it points back to the trunk port to the router. However, the MAC address specified is NOT the MAC address of the router. I suppose it is possible that this router uses different MAC addresses for VLANs but in my experience, at least the VendorID would be the same as what is reported in the router management pages.
I am also seeing these ARP requests on all VLANs as well.
Loop protection is turned on in the Luxul switch, which I am assuming is it's version of STP. It is not reporting any loops, and since this is a closed AV system, I'm sure there are no loops.
So I am wondering... what could this rogue device be, and could these broadcast packets penetrate the NAT from Comcast modem thru my router? I do not know if anything else is plugged into the Comcast modem directly, but with bridge mode on, my router has the Comcast IP, so I don't know what happens when other devices plug into the modem.
If I ping the VLAN gateways, I can see the ping replies in Wireshark as originating from this same MAC address.
I do have the ability to blacklist MAC addresses but I don't want to do that if it is actually the router itself...
Here's a screenshot of what I see...
No comments:
Post a Comment