Solved: 2960 Bursty Internet Traffic Analytics

lowfell · ‎08-20-2020

Hello all. We have a 2960 stack with auto qos on Some uplinks. some interfaces a connected to FW's and there is a Managed Internet uplink. we are seeing g a LOT of drops on some of the ports that have NO QOS configured, however when you look at the five min average it's only about 50mb over a gig interface.

I suspect that the reason for the drops is BURSTY internet traffic, there is a graphic heavy website pulling lots of different images and db requests all over the internet.

What kind of tool can i use to see if indeed there is a lot of short period Bursting going on to demonstrate why the packets are being dropped?

Joseph W. Doherty · ‎08-20-2020

Possibly a tool like Wireshark can confirm bursty traffic, but TCP based traffic, by design, is often bursty, and the reason a port drops frames/packets is buffer overflow, so 99.9999% of the time, what you suspect is likely correct, especially, on a Catalyst 2K or 3K switch with "default" QoS active.

When you note, "NO QOS configured" do you mean QoS is inactive on the device, or just not explicitly configured on some ports? If the latter, generally, when QoS is enabled on switch, and such a switch is using its "default" QoS configuration, i.e. ports w/o an explicit QoS configuration, they often tend to be very prone to drop frames/packets because the "default" QoS port configuration allocates resources "equally" among the port's four egress queues (and often usage of those four egress queues is not equal).

Unsure for a 2960 (like on Catalyst 3Ks), but there may be further ASIC related commands which will provide additional egress queue stats, as in frames/packets enqueued and/or dropped, for each port queue and its logical thresholds.

View solution in original post

marce1000 · ‎08-20-2020

- You should consider a perimeter-fw as a central point for monitoring internet-traffic. Modern firewalls can make reports on application traffic and malware-intended traffic. Your policies should also include that not needed traffic , can not penetrate towards the Intranet at the back end of the firewall. The same goes for your users where your firewall could report on people having devices infected with malware etc.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Joseph W. Doherty · ‎08-20-2020

Possibly a tool like Wireshark can confirm bursty traffic, but TCP based traffic, by design, is often bursty, and the reason a port drops frames/packets is buffer overflow, so 99.9999% of the time, what you suspect is likely correct, especially, on a Catalyst 2K or 3K switch with "default" QoS active.

When you note, "NO QOS configured" do you mean QoS is inactive on the device, or just not explicitly configured on some ports? If the latter, generally, when QoS is enabled on switch, and such a switch is using its "default" QoS configuration, i.e. ports w/o an explicit QoS configuration, they often tend to be very prone to drop frames/packets because the "default" QoS port configuration allocates resources "equally" among the port's four egress queues (and often usage of those four egress queues is not equal).

Unsure for a 2960 (like on Catalyst 3Ks), but there may be further ASIC related commands which will provide additional egress queue stats, as in frames/packets enqueued and/or dropped, for each port queue and its logical thresholds.

lowfell · ‎08-21-2020

Thanks everyone for your input. i'll stroke my chin and consider my options.