HL7 saturating WAN.

tenbucker · ‎11-18-2017

Hi all,

I have NBAR enabled on a client's router and it appears that the WAN is being saturated by an influx of HL7 traffic? All I really know about HL7 is that it is a health protocol that doesn't rely on a port-map or any single transport protocol, because of this I am struglling to identifiy the source of the traffic?

Any help on the matter would be appreciated.

Ben

Flavio Miranda · ‎11-19-2017

Hi @tenbucker

I only see reference to HL7 as a standard or framework. I didn't find it as a protocol, could you share your source?

-If I helped you somehow, please, rate it as useful.-

tenbucker · ‎11-19-2017

Hey @Flavio Miranda

I'm basing this on output from the show ip nbar protocol-discovery command. From what I've gathered HL7 traffic usually flows over some other protocol but I and the customer are both clueless as to what that could be, any ideas?

Georg Pauwen · ‎11-19-2017

Hello,

according to the link below, HL7 uses TCP/UDP port 2575 and 20046.

Try and create an access list for those ports with the 'log' keyword, that should tell you the source and destination:

access-list 100 permit tcp any any eq 2575 log

access-list 100 permit tcp any any eq 20046 log

access-list 100 permit udp any any eq 2575 log
access-list 100 permit udp any any eq 20046 log

access-list 100 permit ip any any

http://www.adminsub.net/tcp-udp-port-finder/hl7

tenbucker · ‎11-20-2017

Hi @Georg Pauwen

Thank you, the only drama is that the interesting traffic is utilisaing up to 50mb so I would expect quite a massive hit to CPU?

I've asked them to set up a netflow collector in the meantime, hopefully we can make some headway.

Ben

Joseph W. Doherty · ‎11-20-2017

". . . the only drama is that the interesting traffic is utilisaing up to 50mb so I would expect quite a massive hit to CPU?"

Depends on the platform.