Strange Strange Brodcast

Unanswered Question
Edison Ortiz Thu, 12/13/2007 - 07:06
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

What is DS ?


Can you post the output from show interface g0/1 ?

hello edison!

ds:its distribution:

SW#sh interfaces gigabitEthernet 0/1

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s

Link type is autonegotiation, media type is SX

output flow-control is off, input flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:03, output hang never

Last clearing of "show interface" counters 03:59:45

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 7006000 bits/sec, 7053 packets/sec

5 minute ouxtput rate 0 bits/sec, 0 packets/sec

102537443 packets input, 4241617996 bytes, 0 no buffer

Received 102361096 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 102195392 multicast, 0 pause input

0 input packets with dribble condition detected

4618 packets output, 862882 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Edison Ortiz Thu, 12/13/2007 - 08:55
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

wow, you have a ton of input traffic with no output traffic.


Did you try telneting to the device connected on G0/1 ? What type of device is connected to G0/1 ?


It looks like you have a virus.

Edison Ortiz Thu, 12/13/2007 - 09:29
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Did you telnet to this switch and check the port counters to identify which switchport is the one sending the most traffic ?

mheusing Thu, 12/13/2007 - 09:36
User Badges:
  • Cisco Employee,

Hi,


The first question coming to my mind: what is causing the broadcast traffic? Can you use a packet analyzer like Wireshark to record the packets utilizing a SPAN port?

This should help to identify the cause of the broadcast packets and thus maybe allow you to stop it at the origin.

I know some applications use broadcast to distribute data, which could explain the observed behaviour.


Regards, Martin

RouterTech1 Thu, 12/13/2007 - 09:52
User Badges:

so shut off the ipv6 on the clients that are trying to join... Vista has ipv6 enabled by default.


mheusing Thu, 12/13/2007 - 09:53
User Badges:
  • Cisco Employee,

Which source MAC address is seen? Track the source MAC address(es) to the switch port(s) connecting the end device(s). In some operating systems IPv6 is turned on by default (or misconfiguration by admins).

Once you know the end device you need to check the operating system settings. In MS you could simply disable the protocol for the network card in the LAN Properties Tab.


Regards, Martin

mheusing Thu, 12/13/2007 - 10:04
User Badges:
  • Cisco Employee,

Empty? you mean all zeros as source MAC address? A standard ethernet frame has to have a source MAC and a destination MAC. Can you attach a small sample of collected packets in a zipped file?


Regards, Martin

Danilo Dy Wed, 12/19/2007 - 06:58
User Badges:
  • Blue, 1500 points or more

Hi Ali,


Since the traffic is coming from the switch and you are sure that IPv6 is disabled in the switch. Can you post the "show version" output of the switch? It could be a bug.


Regardes,

Dandy

Danilo Dy Wed, 12/19/2007 - 07:50
User Badges:
  • Blue, 1500 points or more

Hi Ali,


show ipv6 interface [interface-id]

show ipv6 route

show ipv6 static


Make sure you don't use IPv6 first.


In the global configuration mode

SW(config)# no ipv6 unicast-routing


In the interface configuration mode

SW(config-if)#no ipv6 enable


Regards,

Dandy

mheusing Sat, 12/22/2007 - 01:51
User Badges:
  • Cisco Employee,

Hi,


have a look at the source mac addresses seen, which is HighTech_1d:b3:01 in the screenshot. Track the mac address in the switches to the access port (presumably "show mac-address-table") and have a look at the attached device. I would assume the source is not a switch, but a host with default IPv6 settings. Once you found the host(s), check the network card settings and disable IPv6, as you do not want it to be active. In case you do not know how to disable it, please provide more informations on the host(s) causing the issue.

In brief:

1) find access port in the switches by tracking MAC address

2) identify host connected

3) check network card settings connected to switch port


Regards, Martin

Actions

This Discussion