Hello,
I've just recently been faced with a flood on a 3750 that I can't seem to handle and would greatly appreciate any help offered.
I have the following setup:
24 interface used out of 48 on a Cisco 3750.
The C3750 has unicast storm control which prevents it from faillin in case of a flood with many small packets.
All this was fain until recently when the users behind it started a flood that look like this:
1) each pachet has size=ethernet MTU=1500
2) each packet has the same ID and different offsets so they are made to look like fragmented packets
3) On my Linux border router (plugged into the C3750) with tcpdump -n -i eth1 -vvv I see:
21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp
As you can see it has no udp source port or destination port in the packet header.
When this happens although the C3750 CPU is not more than 30%, all traffic that is routed through it has a loss of 80-90%.
Has anyone ever encountered this ?
Is there a way to filter it in the future ?
Any advice or some links in regard to this would be greatly appreciated.
Sorry if I have misplaced the list for problems like this.