Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
4
Replies

Network connectivity

jprada
Level 1
Level 1

‎09-06-2003 06:06 PM - edited ‎03-09-2019 04:41 AM

I have a router that gives me exit to the Internet and since about 4 days ago when I ran the command

" sh proces " it's showing 59 % to 65 % when the norm has been 3% to 10 %.

So there is a device or several of them that are causing too much traffic due to an electronic problem or a virus or excessive use by the user. I want to know:

1. - What can I do to identify the IP or the MAC address of the device(s) that are causing this traffic?

2. - There is any kind of access-list or debug mechanism that help to identify this devices?

3. - There is an any kind of software, even if different from Cisco product tat can help me to troubleshoot this problem?

4.- By tha way, there is any way to stop or control viruses coming into the system from the router?

Thanks for any help I can have from you all

Labels:
0 Helpful
4 Replies 4

jprada
Level 1
Level 1
In response to jmia

‎09-08-2003 10:02 PM

Jay

Thanks, I am looking into the links.

J.P

0 Helpful

Not applicable

‎09-09-2003 12:09 AM

do a ip accounting on the ethernet inetrefaces and look for 92 bytes and 48 bytes packets. Lots of them comming from same hosts. If this is the case you have a virus on the source ip addresses.

To block the 92 bytes you only need an ext accesslist

deny icmp any any echo

deny icmp any any echo-reply

for the 48 bytes I'm not sure but Cisco has generated a common accesslist for these viruses search the web. The problem with thius one it thends to block alot of other traffic as well.

good luck

0 Helpful

jprada
Level 1
Level 1
In response to

‎09-15-2003 12:19 AM

Thanks for your response. This is the access-list created and it is in effect:

Access-list 120 Applied to Fast Ethernet0/0 to watch incoming traffic

Deny tcp any any eq 135 log

Deny udp any any eq 135 log

Deny tcp any any eq 137 log

Deny udp any any eq netbios-ns

Deny tcp any any eq 138 log

Deny udp any any eq netbios-dgm

Deny tcp any any eq 139 log

Deny udp any any eq netbios-ss

Deny tcp any any eq 445

Deny tcp any any eq 445

Deny tcp any any eq 4444

Deny tcp any any eq 4444

Deny icmp any any echo

Deny icmp any any echo-reply

Permit ip any any

So far it is producing some ip numbers and we are on it.

0 Helpful
Customers Also Viewed These Support Documents