High Utilization of traffic on frame port that has been "shutdown"??

323support · ‎01-26-2003

I have a cisco 3640 set up with sub-interfaces, I have issued the "shutdown" command on a sub-interface but I still see high utilization on the interface through my monitoring system. How is this possible?? I thought maybe this connection had an unpatched SQL server behind it so I also set up an ACL both in and out for port 1434 on the main ethernet interface but this doesn't seem to help either. I am totally confused, can any one help??

bbaley · ‎01-31-2003

Does you monitoring system give the data for the sub-interface or for the main interface? I think it is showing the statistics for the main interface.

323support · ‎01-31-2003

Thanks for your reply, the monitoring system actually shows all interfaces on the border router as well as the far-end interface on the other router. I did finally locate that the far end had a SQL server that was unpatch. This is cause for alarm because even though I issued the "Shutdown" command on the sub interface and set up an ACL blocking port 1434 on all interfaces in and out of the border router, I was still seeing traffic to the border router from the sub interface. When the SQL server was finally removed from the connection all was returned to a normal status.

I can only conclude that the SQL worm was not utilizing UDP or TCP as they were both blocked for the port. Is it possible traffic was riding over the frame portion of the connection or the "PVC" only? I would be very interested in any input on this issue as it is still unsolved as to "How" and "Why" I was still seeing the traffic.

Thanks Again...