Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below:
Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.0 50 40 0.0 31.3 14.4 TCP-FTP 87 0.0 7 65 0.0 17.0 12.1 TCP-FTPD 27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 673 68 0.0 1796.8 3.6 TCP-Frag 2 0.0 1 40 0.0 0.0 15.5 TCP-other 33285 0.2 14 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 1 73 0.0 1.3 15.4 UDP-NTP 10 0.0 1 76 0.0 0.0 15.4 UDP-other 13772 0.1 6 78 0.7 1.2 15.5 ICMP 2904 0.0 3 72 0.0 19.1 15.4 IP-other 20559 0.1 148 20 24.5 6.8 15.4 Total: 120951 0.9 33 76 32.2 9.9 9.4 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]