CBS 220 constant inbound traffic from www.cisco.com

IT Churros · ‎01-23-2024

Hello all,

I have 2 CBS 220 24P with FW 2.0.2.8 and 2.0.2.12 and a very basic setup:

- Static ip

- DNS setup to query my in house DNS servers, Default Domain Name set to AD domain

- NTP set up with default values (UTC +1, Daylight Saving ON, SNTP on), Time is up to date

- some VLAN created, default VLAN 1, management VLAN 1, Trunk on uplink to internet.

- No devices attached during test, except uplink to Meraki MX

The thing is my Meraki MX sees the switch as a huge bandwidth eater, approx 300kb, constant every day.

Meraki logs indicates "cisco.com" and "www.cisco.com" for inbound traffic for 98% of useage, the rest is DNS queries.

Packet captures indicates akamai as the main source of tcp traffic.

DNS Queries are OK

All the settings non written here must considered as default (factory setting)

rebooting the device reduces the bandwidth useage to approx 5kb/s for a couple of days and then it rises back to 300kb/s

Any ideas where to start digging ?

Thanks

Torbjørn · ‎01-23-2024

I have not seen this behaviour on any of the CBS switches I have worked on. I would start by verifying that the 300kbps measurement is actually correct with Wireshark. You can use the methods described in this blog post to do so: https://blog.davidvassallo.me/2010/03/22/measuring-bandwidth-using-wireshark/

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

IT Churros · ‎01-23-2024

Did a 60sec packet capture and it gave 351kb on average bandwidth, which is what i see on the dashboard

I have rebooted one switch and it is very low on bandwidth useage, the other remains high.
I suspect some TLS 1.3 stuff roaming around ( i get some retransmission )

Torbjørn · ‎01-23-2024

That's interesting. Was it all HTTPS traffic?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

IT Churros · ‎01-29-2024

yes, all https.

As weird as it is, the rebooted switch did not not use much to reach cisco.com since 6 days...

i barely used 100k in total in a week (whereas the other one, not rebooted, is still on a 300k/s steady).

Georg Pauwen · ‎01-29-2024

Hello,

Akamai does cloud services, cybersecurity, DDOS mitigation, and content delivery. Is it possible that one of the devices connected to that switch is using one of their services (without your knowledge) ?

You could disconnect the ports one by one and check if one of the ports is responsible for the constant traffic stream.

IT Churros · ‎01-30-2024

Georg,

The only port used is the uplink to internet (ge24), trunk mode.

My setup is very basic, host rename, SNTP on, default NTP server, FW upgrade to latest (2.0.2.12), static IP, static DNS (in house), SNMP Off, some VLAN defined, period.

A reboot seems to clear the issue (that may be the third reboot since first power up)

Georg Pauwen · ‎01-30-2024

Hello,

odd indeed. My best guess is that it is either SNTP or Bonjour that cause this traffic. For the sake of testing, can you disable both (one after the other) ?

IT Churros · ‎02-04-2024

Sorry for late reply, was working on IT emergencies...

Done the tests, neither Bonjour or SNTP did a change in the bandwidth useage.

Looks like i'm resigned to reboot the swithes 3 or 4 times until they get up and running...