Re: How to examine ip traffic alerts

SlipperyPete · ‎02-18-2010

We're checking a 3750 switch for issues and we ran the command "show ip traffic". Under the IP statistics, it shows alerts. Does anyone know how to examine these alerts and see what they are? See the output below:

FOR_GA293_3750SFPstk_Gr1#show ip traffic
IP statistics:
Rcvd: 2203803 total, 354127 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 1843512 not a gateway
         0 security failures, 0 bad options, 1069112 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 1069112 alert, 0 cipso, 0 ump
         0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 couldn't fragment
Bcast: 328776 received, 1 sent
Mcast: 0 received, 0 sent
Sent: 25617 generated, 6885 forwarded
Drop: 53 encapsulation failed, 0 unresolved, 0 no adjacency
         0 no route, 0 unicast RPF, 0 forced drop
         0 options denied, 0 source IP address zero

Thanks.

xcz504d1114 · ‎02-18-2010

Notice the number of alerts matches the number of IP packets that were sent with "Options".

An alert does not mean anything except "you may want to look at this" and respectively "you many not".

An example of some types of traffic that are using IP options, RSVP, MPLS, IGMPv2, IP options can be used in some forms of DOS attacks, but they are also used in normal traffic.

If you are 100% sure you don't have traffic using ip options, you con configure the "ip options drop" command in global configuration, again emphasis on it is an alert, menaing you may or may not be concerned with it.

Setting up a SPAN and looking at the traffic is probably the best way to be 100% certain of the information.

HTH,

Craig

SlipperyPete · ‎02-18-2010

Okay, thanks for the help.