cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
10
Helpful
7
Replies

UPD broadcast in LAN

shanus_id
Level 1
Level 1

HI all,

Required your valued clarification on a basic and a stupid question I have. I hope you dont mind to reply.

I have installed an etheral in one of my LAN broadcast domain where I am getting around 40 to 70 percent UDP traffic of my total subnet traffic.

Need your esteemed advice on this.. I personaly guess its normal. Does it ? I have mostly use of internet. I have a SNMP server in this subnet, HSRP is also configured for this subnet. Please advice. When I figure out this traffic it explains me about the listed protocols that works on UDP.

Please advice.

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Hi

It's difficult to say without more specifics. Are you saying that the UDP traffic is broadcast traffic or just that the majority of traffic on that LAN is UDP.

What UDP ports are being used ?

Jon

I mean the majority of the LAN traffic is UDP. UDP protocols mainly used are SNMP and HTTP.

I do feel it perfect. please advice.

lgijssel
Level 9
Level 9

Likely you have plugged your ethereal machine in a switchport. What you see there consists largely of broadcasts because the monitor pc does not generate any traffic from itself.

To "see" real traffic you should configure the switchport as a monitor port:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

regards,

Leo

For the past two weeks we had the case where, a server was broadcasting UDPs We just found the source problem) and our CAT4506 was pegged at 95% (show processes CPU) Cat4k Mgmt LoPri was 85.29% ! The SysAdmmin says we need to close or filter UDP Destination Port 6669 on our Cat3560 (first level Switch) or or Router (4506)

What can we do to stop the Packets at the Port???

Mike

As a rule of thumb, it is always better to adjust the behaviour of the host that is generating the traffic than to adjust it at the network level.

When you know what (which host) the cause is, shut it down or restrict it's access.

The first question that I would ask here is: what does this traffic on port 6669 do?

Is this an essential network-service or not?

When it is, you will have to facilitate it one way or the other. When it is not, contact the server admin and shut it down, take any measures that you see fit to solve the needs of the moment.

An access-filter like below will suffice for this:

access-list 199 deny udp any any 6669

access-list 199 permit ip any any

int vlan XX (where the source is)

access-group 199 in

regards,

Leo

Thank we mployed this on the 4506, we are now down to 10 to 17% !

It was very hard intially to find the source of the problem. I wished I had some software to alert me. As it happened someone remembered complaint from a particular server from months agao, and it was the same problem here.

Mike

Thanks... The document was very helpfull.

Cheers !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco