cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
1
Replies

High Egress Surge on Transit router external Interface

1) First Network topology

Internet<--G0/0--> TR<-->CoreSW<--Firewall<--> Server and LAN network

                                                        <--Gateway<--> Customers

 

2) Problem is at the G0/0 port on TR specially the Egress " Surges to 200 Mbps"

3) We are using NPM so we can see the DL/UL utilization on each port and all are below 10 Mbps.

4) When Checking the TR webui,port G0/0,egress.. I find the top usage from "unknown" and "Domain name system"

5) What is that " Unknown " or how to know it? + How to stop such surges or at least to know Why it happens so i can deal with it... taking into consideration that this surge happens in 1 hour intervals any time in the day " peak hours or off hours" like 3 am.

6) It's only the upload and it's from the TR only which is weird for me.

 

I will attach a snap shot from the Webui 

 

-We are using simple QoS but nothing was happening for the last few months..that just happened 2 days ago and its back to normal right now.  

1 Reply 1

So after doing a packet capture we found out that out bandwidth was being used through port 17 from an ip that's not in out network. We applied an ACL for both egress and ingress blocking port 17 on our port and problem is solved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers