Hi all. I was wondering if someone can share some light on a wierd issues
that I am seeing. This perhaps maybe an attack from an internal or infected
host within the network or simply a malfunctioning NIC. Basically, I have a
Cisco 3662 with 2 Satellite links. I noticed that the main WAN link
(1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of
output drops and the links started to flap and as a result BGP sessions
starting going down causing huge problems. Once I was able to get the BGP
under control, I enabled Netflow on the inbound interface (FE0/1) to see
what type of traffic could be causing this issue and this is when I noticed
the below:
Here is the output of the Netflow:
cisco_3600_one#show ip cache flow
IP packet size distribution (4096357 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000
.000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
978 active, 3118 inactive, 121929 added
2503952 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec)
Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 41 0.0 50 40 0.0 31.3 14.4
TCP-FTP 87 0.0 7 65 0.0 17.0 12.1
TCP-FTPD 27 0.0 135 211 0.0 83.0 3.5
TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7
TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7
TCP-BGP 1 0.0 673 68 0.0 1796.8 3.6
TCP-Frag 2 0.0 1 40 0.0 0.0 15.5
TCP-other 33285 0.2 14 246 3.7 24.0 10.3
UDP-DNS 6005 0.0 1 73 0.0 1.3 15.4
UDP-NTP 10 0.0 1 76 0.0 0.0 15.4
UDP-other 13772 0.1 6 78 0.7 1.2 15.5
ICMP 2904 0.0 3 72 0.0 19.1 15.4
IP-other 20559 0.1 148 20 24.5 6.8 15.4
Total: 120951 0.9 33 76 32.2 9.9 9.4
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
