09-11-2007 04:38 AM - edited 03-05-2019 06:24 PM
HI all,
Required your valued clarification on a basic and a stupid question I have. I hope you dont mind to reply.
I have installed an etheral in one of my LAN broadcast domain where I am getting around 40 to 70 percent UDP traffic of my total subnet traffic.
Need your esteemed advice on this.. I personaly guess its normal. Does it ? I have mostly use of internet. I have a SNMP server in this subnet, HSRP is also configured for this subnet. Please advice. When I figure out this traffic it explains me about the listed protocols that works on UDP.
Please advice.
09-11-2007 04:50 AM
Hi
It's difficult to say without more specifics. Are you saying that the UDP traffic is broadcast traffic or just that the majority of traffic on that LAN is UDP.
What UDP ports are being used ?
Jon
09-12-2007 04:09 AM
I mean the majority of the LAN traffic is UDP. UDP protocols mainly used are SNMP and HTTP.
I do feel it perfect. please advice.
09-11-2007 04:52 AM
Likely you have plugged your ethereal machine in a switchport. What you see there consists largely of broadcasts because the monitor pc does not generate any traffic from itself.
To "see" real traffic you should configure the switchport as a monitor port:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
regards,
Leo
09-11-2007 07:04 AM
For the past two weeks we had the case where, a server was broadcasting UDPs We just found the source problem) and our CAT4506 was pegged at 95% (show processes CPU) Cat4k Mgmt LoPri was 85.29% ! The SysAdmmin says we need to close or filter UDP Destination Port 6669 on our Cat3560 (first level Switch) or or Router (4506)
What can we do to stop the Packets at the Port???
Mike
09-11-2007 10:45 AM
As a rule of thumb, it is always better to adjust the behaviour of the host that is generating the traffic than to adjust it at the network level.
When you know what (which host) the cause is, shut it down or restrict it's access.
The first question that I would ask here is: what does this traffic on port 6669 do?
Is this an essential network-service or not?
When it is, you will have to facilitate it one way or the other. When it is not, contact the server admin and shut it down, take any measures that you see fit to solve the needs of the moment.
An access-filter like below will suffice for this:
access-list 199 deny udp any any 6669
access-list 199 permit ip any any
int vlan XX (where the source is)
access-group 199 in
regards,
Leo
09-11-2007 10:54 AM
Thank we mployed this on the 4506, we are now down to 10 to 17% !
It was very hard intially to find the source of the problem. I wished I had some software to alert me. As it happened someone remembered complaint from a particular server from months agao, and it was the same problem here.
Mike
09-12-2007 04:11 AM
Thanks... The document was very helpfull.
Cheers !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: