So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find the source radio I will definitely turn off multicast. Good idea.
-Ty -Ty On Wed, Feb 17, 2016 at 11:51 AM, Cassidy B. Larson <c...@infowest.com> wrote: > Look for the mac: a813.430a.5950 I think. That’s the source MAC, assuming > I flipped the right bit. I know the last 8 are right at least. > > You could just turn off multicast on his radio or the AP, but his router > is looking for a DHCP server and sending to that multicast address in > question. > If you turn off multicast IPv6 will fail to function as it relies on > multicast to function.. no more broadcasts! :) > > > > > > On Feb 17, 2016, at 10:46 AM, Ty Featherling <tyfeatherl...@gmail.com> > wrote: > > > > A few times now I have noticed all customers in a given broadcast domain > all seeing download traffic at about 1.5Mbps. My gut reaction is broadcast > traffic of some sort so I go to Torch on the Mikrotik router at that site. > What I saw that first time is the same thing I have seen every time since > and what is shown in the attached image. IPv6 traffic from some IPv6 host's > link-local address to ff01::1:2 with a rate that matches the traffic I am > seeing everywhere. I enable IPv6 on that router if it isn't already and > just add a firewall rule that drops all IPv6 traffic since I am not running > any on network at this time. But what is it? > > > > It looked to me like an IPv6 broadcast address of some type so I > googled it and found: > > > > FF02::1:2 All DHCPv6 agents (servers and relays) within the link-local > scope > > > > This makes sense since I bet it is coming from a customer's router on > that segment. Is this device malfunctioning, plugged in backwards, or what? > How can I use the Mikrotik to narrow down where it it located? There isn't > a mac-table for IPv6 that I can find. > > > > Anyone else seen this? > > > > > > -Ty > > <ipv6 traffic.png> > >
