Undefined traffic (flood) on interfaces. Need advice how to check.

vas tik · ‎12-27-2015

Hello.

To begin with I am not a ccna or ccnp and I do not have any cisco certificates, therefore sorry if I asked wrong question in the wrong place.

We have a LAN and recently our monitoring system shows a flood on every interface in Vlan150. Flood about 600 - 700 Kb/s, and it can stop sometimes for a short period (3-20 min).

I tried to catch it with wireshark on windows (sorry I do not have any Linux host in this LAN), but it looks like packets doesn't go to windows interface because:

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611363902 123019349 49768242 94193943

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611538371 123019485 49768254 94193950

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611724787 123019629 49768261 94193959

5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1392000 bits/sec, 159 packets/sec

As you can see port Gi1/3 is disconnected, but it is active, It doesn't have any mac addresses attached to it.

But it receives a lot of Unicast packets. How?

I need your advice. How can I catch them, to find out what is it?

Thank you in advance

Happy New Year.

Reza Sharifi · ‎12-27-2015

Hi,

How can you tell if interface gi1/3 is disconnected?

To know if the interface is up or down try "sh ip int brief gi1/3"

Also if the interface is down now, it could be that the numbers you have posted above are from the past when the interface was connected. You can try clearing the interface counter "clear counters gigabitEthernet 1/3" and watch the interface again to see if the numbers accumulate again.

HTH

vas tik · ‎12-27-2015

Interface is up, but nothing is connected to it.

The counters in the output I have provided change every time I take them. It is real flood.

Reza Sharifi · ‎12-27-2015

Can you provide the output of "sh ip int brief g1/3"?

and also "sh run int g1/3"?

vas tik · ‎12-27-2015

show ip interface brief gi1/3

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1/3 unassigned YES unset up up

!

interface GigabitEthernet1/3

description ### WS & Servers ###

switchport

switchport access vlan 150

switchport mode access

end

Reza Sharifi · ‎12-27-2015

So, there is nothing connected to this interface but it is up?

vas tik · ‎12-27-2015

It is connected to comp. which is turned off right now

pwwiddicombe · ‎12-27-2015

Check link lights on the port and server port. Some of them, even if shutdown (but power connected) will have link enabled (computers/servers) to support programmed power up, with the correct packet. This port would then look "live" to the switch, who will happily send broadcast and flooding packets toward the port that is considered live from the switch point of view.

Unpower the server, and the switchport should then transition to down. Unless it's a VMWare type virtual, which is a whole different topic.

vas tik · ‎12-28-2015

I found out what was this flood, it was unicast flood.

To solve I increased aging-time for mac address table.

Will continue to monitor interfaces.