Internet<--G0/0--> TR<-->CoreSW<--Firewall<--> Server and LAN network
2) Problem is at the G0/0 port on TR specially the Egress " Surges to 200 Mbps"
3) We are using NPM so we can see the DL/UL utilization on each port and all are below 10 Mbps.
4) When Checking the TR webui,port G0/0,egress.. I find the top usage from "unknown" and "Domain name system"
5) What is that " Unknown " or how to know it? + How to stop such surges or at least to know Why it happens so i can deal with it... taking into consideration that this surge happens in 1 hour intervals any time in the day " peak hours or off hours" like 3 am.
6) It's only the upload and it's from the TR only which is weird for me.
I will attach a snap shot from the Webui
-We are using simple QoS but nothing was happening for the last few months..that just happened 2 days ago and its back to normal right now.
So after doing a packet capture we found out that out bandwidth was being used through port 17 from an ip that's not in out network. We applied an ACL for both egress and ingress blocking port 17 on our port and problem is solved.