Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
5
Helpful
8
Replies

Many DNS port 53 scaned packets detected in debug netdr

Go to solution
aweer1234
Level 1
Level 1

‎01-13-2016 08:02 PM - edited ‎03-05-2019 03:07 AM

   Dear All,

    Our company have router cisco 7609-S and detected bunch of packets scan port 53  after running command with debug netdr capture packets,

As according to my understanding debug netdr function only detected with packets to cpu in control plane,so i don't understand why we have detected with such many data plane packets .All source and destination ip are different.

   Could you please guys help to advise how to solve this issue? 

   Thanks!

--

Regards,

Rex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎01-13-2016 08:45 PM

Hello,

RP process handles some traffic indeed. Please check the information below. Check the DNS packets with sniffer to see what is going on. Look for options in the packets for example.

"The RP CPU is typically used in order to handle Layer 3 (L3) control traffic as well as L3 data traffic that cannot be hardware-switched. Some examples of L3 control traffic are Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol (BGP), and Protocol Independent Multicast (PIM) packets. Some examples of L3 data traffic that cannot be hardware-switched are packets with IP options set, packets with Time To Live (TTL) values of 1, and packets that require fragmentation"

Masoud

View solution in original post

8 Replies 8

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎01-13-2016 08:45 PM

Hello,

RP process handles some traffic indeed. Please check the information below. Check the DNS packets with sniffer to see what is going on. Look for options in the packets for example.

"The RP CPU is typically used in order to handle Layer 3 (L3) control traffic as well as L3 data traffic that cannot be hardware-switched. Some examples of L3 control traffic are Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol (BGP), and Protocol Independent Multicast (PIM) packets. Some examples of L3 data traffic that cannot be hardware-switched are packets with IP options set, packets with Time To Live (TTL) values of 1, and packets that require fragmentation"

Masoud

Go to solution
aweer1234
Level 1
Level 1
In response to Masoud Pourshabanian

‎01-17-2016 06:06 PM

Hi Masoud,

I have attached debug netdr report in this thread,could you please help to check it if there any problem? 

Thanks!

Regards,

Rex

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to aweer1234

‎01-17-2016 06:17 PM

I see these IPs a lot.

Is one of them yours?

23.251.55.X

150.129.7X.X?

Masoud

0 Helpful

Go to solution
aweer1234
Level 1
Level 1
In response to Masoud Pourshabanian

‎01-20-2016 07:43 PM

Hi Masoud,

All these ips not belong to us,thank you!

Regards,

Rex

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to aweer1234

‎01-17-2016 06:30 PM

And do you any access-list with "log" at the end?

0 Helpful

Go to solution
aweer1234
Level 1
Level 1
In response to Masoud Pourshabanian

‎01-20-2016 07:43 PM

Hi Masoud,

Thanks for your reply!

We don't have any access-list with "log" option enabled.
Thanks!

Regards,

Rex

0 Helpful

Go to solution
Amit Goyal
Level 1
Level 1

‎01-14-2016 05:06 AM

Hi Rex,

Yes you are right. debug netdr gives us all packets which are being punted to cpu.

Can you attach the output of "debug netdr" in this thread?

You could also check the destination of those packets if they belongs to your 7600 router. if not, then for some reason they are being pushed to this router unexpectedly.

HTH

-Amit

0 Helpful

Go to solution
aweer1234
Level 1
Level 1
In response to Amit Goyal

‎02-03-2016 05:27 PM

Hi Amit,

Could you please check attach file for your reference,i did find a lot of destination ips not belong to our router,but from servers which connected to distributed switch and then router,thanks!

--

Regards,

Rex

0 Helpful
Customers Also Viewed These Support Documents