06-11-2008 09:49 PM - edited 03-05-2019 11:34 PM
Hi,
I've searched Cisco and the net in general, but I can't find any helpful information that would help me figure out what the "unknown protocol drops" are in the interface output below.
Can anyone shed some light on this?
#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 001d.46f0.8120 (bia 001d.46f0.8120)
Description: switch
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 18000 bits/sec, 10 packets/sec
30 second output rate 43000 bits/sec, 9 packets/sec
20046327 packets input, 3786623660 bytes
Received 831679 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
21187748 packets output, 708301434 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
185786 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
thanks in advance,
Kevin
06-11-2008 11:59 PM
these are drops related to IPX or Decnet traffic which is not IP. You need to look what all L3 protocols are running in your network.
06-12-2008 09:40 PM
Thanks!
Any tips on how I might find out more information as to which device is responsible for this?
I'm not knowledgeable (at all) about IPX/DECnet, but am I right to assume that these L3 protocols are encapsulated in ethernet just the same as IP and are arriving on my router's interface and being dropped there for "not being IP"?
If the above is correct, then I think my culprit can be in the entire L2 domain and might perhaps be recognizable by its MAC address. How might I go about and figuring out where the IPX/DECnet is coming from?
kind regards,
Kevin
06-15-2008 10:21 PM
For the interested: By polling the OID 1.3.6.1.2.1.2.2.1.15 (ifInUnknownProtos) from the IF-MIB, I was able to check this on more devices since not all supported the CLI output of "unknown protocol drops", but all had the info via SNMP.
It turned out to be UDLD configured on the trunk on the switch side (2950/3550) which the routers (2811/1803/1841) didn't understand and they counted these frames as "unknown protocol drops".
I'd like to point out that UDLD, according to the documentation I have read, operates on Layer2, so it wasn't enough to just look at IPX/DECnet on Layer3.
06-20-2008 12:00 PM
Kevin
Thanks for posting back and indicating the information that allowed you to find the solution to your question. It is very helpful to see this aspect of the unknown protocol drops. I believe that it deserves the rating that I gave it.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide