Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
7
Helpful
4
Replies

Amazing Bandwidth Consumption (is it the case of ip spoofing ?)

openboy_basanta
Level 1
Level 1

‎09-24-2007 09:27 PM - edited ‎03-03-2019 06:54 PM

I work at an Internet Service Provider. One of our clients has his gateway as one of the subinterfaces in our router.

int fa0/0.421

encapsulation dot1q 421

ip address

this ip is routed via ospf

These days since two days one amazing thing is happening. Even when I shut his subinterface or his access port in the switch, or he power offs all the devices at his premises physically his network show amazing bandwidth consumption in our Bandwidth Manager. He has been allocated 256/256 K dedicated bandwidth but the whole bandwidth gets choked even when the devices are physically shut !!!!!!!!!!!!!! I let him use global bandwidth as to see how much it might hit , his network was demanding 10.5 MB!!!!!!!!!!!!! What is this ?????? I had to throttle the rule to 80/80 bits per second to control it !!!!!!!!!!!!!!! Is it the case of IP spoofing ????? How is the network consuming bandwidth when it is physically shut or power off ???? I dont see anything in the log. Our client has a Fortigate 100A 2.80 Firewall in his premises.

Help !!!!!!!!!!! Never experienced like this in my 2 years Network Engineering Career!!!!!!

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎09-24-2007 10:32 PM

Altough there is not too much info, I think that there might be another interface somewhere in the network that was configured for vlan 421. The traffic that you see could be due to the OSPF having found an alternative path via this vlan and is routing or load balancing traffic over it.

You should check your routing tables and verify the vlan configuration in the PE-CPE part of the network.

regards,

Leo

openboy_basanta
Level 1
Level 1
In response to lgijssel

‎09-24-2007 11:48 PM

Thanks Leo,

I did solve my problem after I issued access lists in egress and ingress filter and generating the log to see what is going on. I found one Malaysian Communications' ip sending me unneccessary traffic (echo-reply), I have blocked the ip and reported to abuse@thatisp.com and things have got normal.

Regarding your answer I am still confused because without that 421 vlan propagating( or being trunked ) does simply getting associated with another sub interface does it ???? Because my bandwidth manager here assigns /monitors bandwidth based on subnet. Even if i assign same vlan 421 to another subinterface in another subnet will there be such confusion to the Bandwidth manager ????? Because Bandwidth manager monitors based on IP address not on VLAN isnt it ??????

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to openboy_basanta

‎09-26-2007 06:33 AM

Hi,

Always secure internet routers. Refer to the links..

Non-BGP

http://www.cymru.com/Documents/secure-ios-template.html

BGP

http://www.cymru.com/Documents/secure-bgp-template.html

NSA Guide

http://www.nsa.gov/snac/downloads_all.cfm

..and also keep their IOS up-to-date.

Regards,

Dandy

openboy_basanta
Level 1
Level 1
In response to Danilo Dy

‎09-26-2007 10:24 PM

Thanks a lot Dandy,

I will surely take into account your advise

Bsnta

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card