Amazing Bandwidth Consumption (is it the case of ip spoofing ?)

Unanswered Question
Sep 24th, 2007

I work at an Internet Service Provider. One of our clients has his gateway as one of the subinterfaces in our router.

int fa0/0.421

encapsulation dot1q 421

ip address

this ip is routed via ospf

These days since two days one amazing thing is happening. Even when I shut his subinterface or his access port in the switch, or he power offs all the devices at his premises physically his network show amazing bandwidth consumption in our Bandwidth Manager. He has been allocated 256/256 K dedicated bandwidth but the whole bandwidth gets choked even when the devices are physically shut !!!!!!!!!!!!!! I let him use global bandwidth as to see how much it might hit , his network was demanding 10.5 MB!!!!!!!!!!!!! What is this ?????? I had to throttle the rule to 80/80 bits per second to control it !!!!!!!!!!!!!!! Is it the case of IP spoofing ????? How is the network consuming bandwidth when it is physically shut or power off ???? I dont see anything in the log. Our client has a Fortigate 100A 2.80 Firewall in his premises.

Help !!!!!!!!!!! Never experienced like this in my 2 years Network Engineering Career!!!!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
lgijssel Mon, 09/24/2007 - 22:32

Altough there is not too much info, I think that there might be another interface somewhere in the network that was configured for vlan 421. The traffic that you see could be due to the OSPF having found an alternative path via this vlan and is routing or load balancing traffic over it.

You should check your routing tables and verify the vlan configuration in the PE-CPE part of the network.

regards,

Leo

openboy_basanta Mon, 09/24/2007 - 23:48

Thanks Leo,

I did solve my problem after I issued access lists in egress and ingress filter and generating the log to see what is going on. I found one Malaysian Communications' ip sending me unneccessary traffic (echo-reply), I have blocked the ip and reported to [email protected] and things have got normal.

Regarding your answer I am still confused because without that 421 vlan propagating( or being trunked ) does simply getting associated with another sub interface does it ???? Because my bandwidth manager here assigns /monitors bandwidth based on subnet. Even if i assign same vlan 421 to another subinterface in another subnet will there be such confusion to the Bandwidth manager ????? Because Bandwidth manager monitors based on IP address not on VLAN isnt it ??????

Actions

This Discussion