Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1888
Views
0
Helpful
8
Replies

Undefined traffic (flood) on interfaces. Need advice how to check.

vas tik
Level 1
Level 1

‎12-27-2015 10:45 AM - edited ‎03-08-2019 03:13 AM

Hello.

To begin with I am not a ccna or ccnp and I do not have any cisco certificates, therefore sorry if I asked wrong question in the wrong place.

We have a LAN and recently our monitoring system shows a flood on every interface in Vlan150. Flood about 600 - 700 Kb/s, and it can stop sometimes for a short period (3-20 min).

I tried to catch it with wireshark on windows (sorry I do not have any Linux host in this LAN), but it looks like packets doesn't go to windows interface because:

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611363902 123019349 49768242 94193943

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611538371 123019485 49768254 94193950

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/3 171611724787 123019629 49768261 94193959

5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1392000 bits/sec, 159 packets/sec

As you can see port Gi1/3 is disconnected, but it is active, It doesn't have any mac addresses attached to it.

But it receives a lot of Unicast packets. How?

I need your advice. How can I catch them, to find out what is it?

Thank you in advance

Happy New Year.

Labels:
0 Helpful
8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-27-2015 11:07 AM

Hi,

How can you tell if interface gi1/3 is disconnected?

To know if the interface is up or down try "sh ip int brief gi1/3"

Also if the interface is down now, it could be that the numbers you have posted above are from the past when the interface was connected.  You can try clearing the interface counter "clear counters gigabitEthernet 1/3" and watch the interface again to see if the numbers accumulate again.

HTH

0 Helpful

vas tik
Level 1
Level 1
In response to Reza Sharifi

‎12-27-2015 11:17 AM

Interface is up, but nothing is connected to it.

The counters in the output I have provided change every time I take them. It is real flood.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to vas tik

‎12-27-2015 11:20 AM

Can you provide the output of "sh ip int brief g1/3"?

and also "sh run int g1/3"?

0 Helpful

vas tik
Level 1
Level 1
In response to Reza Sharifi

‎12-27-2015 11:52 AM

 show ip interface brief gi1/3

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1/3 unassigned YES unset up up

!

interface GigabitEthernet1/3

description ### WS & Servers ###

switchport

switchport access vlan 150

switchport mode access

end

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to vas tik

‎12-27-2015 12:16 PM

So, there is nothing connected to this interface but it is up?

0 Helpful

vas tik
Level 1
Level 1
In response to Reza Sharifi

‎12-27-2015 01:03 PM

It is connected to comp. which is turned off right now

0 Helpful

pwwiddicombe
Level 4
Level 4
In response to vas tik

‎12-27-2015 03:03 PM

Check link lights on the port and server port.  Some of them, even if shutdown (but power connected) will have link enabled (computers/servers) to support  programmed power up, with the correct packet.  This port would then look "live" to the switch, who will happily send broadcast and flooding packets toward the port that is considered live from the switch point of view.

Unpower the server, and the switchport should then transition to down.  Unless it's a VMWare type virtual, which is a whole different topic.

0 Helpful

vas tik
Level 1
Level 1
In response to pwwiddicombe

‎12-28-2015 08:39 AM

I found out what was this flood, it was unicast flood.

To solve I increased aging-time for mac address table.

Will continue to monitor interfaces.

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top