Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
0
Helpful
1
Replies

Unrecognizable Traffic Flow - High Link Utilization

amar_5664
Level 1
Level 1

‎10-18-2011 05:26 PM - edited ‎03-07-2019 02:54 AM

have a 1G trunk between 6509 and 3560E, it is being used over 90% in certain periods.

3560E has one Vlan100 and native vlan while no clients connected on it who would be requesting any traffic, the only traffic would be snmp/ntp/tacacs which should not have such high utilization.

what is did was enabled netflow on 6509 where it is connected below is the capture (10.152.100.253 is the vla100 ip on 3560E it has default gateway of 6509)

10.142.176.42   10.152.100.253  udp :161    :55997    Vl100            :0x0    

   

10.142.176.42   10.152.100.253  icmp:771    0       Vl100            :0x0    

   

10.142.176.42   10.152.100.253  icmp:0      0      Vl100            :0x0    

   

10.137.0.50     10.152.100.253  udp :ntp    :ntp      Vl100            :0x0    

   

10.142.176.42   10.152.100.253  udp :161    :53513    Vl100            :0x0    

   

10.152.100.253  10.137.0.50     udp :ntp    :ntp      Vl100            :0x0    

   

10.142.176.42   10.152.100.253  udp :161    :55964    Vl100            :0x0

0.0.0.0         0.0.0.0         0                 --               :0x0    

   

255.255.255.255 0.0.0.0         udp :68     :67       Vl100            :0x0

what bothering me is below

DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr
-----------------------------------------------------------------------------
Pkts         Bytes         Age   LastSeen  Attributes

0.0.0.0         0.0.0.0         0   0      0        --               :0x0 

1472532      1804080369    23    11:14:18   L3 - Dynamic  
   
255.255.255.255 0.0.0.0         udp :68     :67       Vl100            :0x0

51           15606         1601  11:14:18   L2 - Dynamic

cache flow

--               0.0.0.0          ---              0.0.0.0         00 0000 0000
   334K

Vl100            0.0.0.0          Vl100            255.255.255.255 11 0044 0043
    54

output rate on 6509 connecting to 3560E

  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 78237000 bits/sec, 6473 packets/sec

input rate on 3560E connecting to 6509

  5 minute input rate 43405000 bits/sec, 3603 packets/sec
  5 minute output rate 2000 bits/sec, 2 packets/sec
     6001401664 packets input, 8621579919811 bytes, 0 no buffer
     Received 216575806 broadcasts (170244392 multicasts)

is 0.0.0.0 destined to 0.0.0.0 causing this spike, i would not expect that as it seems to be blackholing. could someone explain why would i have so many packets 334k src/dst (0.0.0.0)... is it a broadcast storm on vlan 100 but netflow is not indicating broadcast ... please note i have not enabled storm-control and broadcast supression....

Labels:
0 Helpful
1 Reply 1

nkarpysh
Cisco Employee
Cisco Employee

‎10-21-2011 03:50 AM

The traffic can be L2 thus not showing up in Netflow. Try doing this command on 6500 and 3560 interfaces to see what traffic is laying in the buffer:

show buffer input-int vlan 100

show buffer input-int TRUNK_INT

if you are really close to 100% load - then you will see drops and buffer not being full thus it will give you output of some packets in it. See what are those and trace the source MAC to understand where most are coming from.

Otherwise connect PC to these device and do SPAN on port to capture that traffic and analyze.

Nik

HTH,
Niko
0 Helpful
Customers Also Viewed These Support Documents