Saturated serial interface - help!!

Unanswered Question
Mar 2nd, 2009
User Badges:

I've got a serial interface on a 2811 router that has been showing an rx load of 252/255 for about 60 hours.


I've got netflow enabled on it and when I put an ACL on the serial interface to block the offending IP address it does not seem to be working. I've got the log parameter on there and its not showing in the log and the rx load is not decreasing.


Netflow shows it as protocol 27 and the source and destination addresses are not any of the networks configured on this router.


What is going on here? Thanks for any help on this.


I realize that I posted in the network managemetn forum but I really need some direction on this. Thank you again in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pciaccio Mon, 03/02/2009 - 09:15
User Badges:
  • Silver, 250 points or more

If you can try shutting the interface down to stop the flood and bring it back up to see if it starts back up again. Can you also submnit the ACL that you have applied to your serial interface on the input. Can you also provide information about the source and destination of your issue.....

justin.gerharte... Mon, 03/02/2009 - 09:23
User Badges:

access-list 111 deny 27 host 109.160.81.80 host 13.0.3.0 log

access-list 111 deny ip host 109.160.81.80 any log

access-list 111 deny ip host 13.0.3.0 any log

access-list 111 permit ip any any


The ACL 111 is from yesterdays attempt. Netflow today is showing source of 234.160.81.80 and a destination of 13.0.3.0 with a source port of 17.

justin.gerharte... Mon, 03/02/2009 - 09:46
User Badges:

The destination has changed to 17.0.3.0. This traffic is also showing up on Fa 0/0 of the router but is not hitting the firewall according to tcpdump. I wouldn't expect to to based on the foreign IP addresses and routing.

paolo bevilacqua Mon, 03/02/2009 - 10:00
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, seek help from the upstream provider, first question is why you're receiving packets that are not your network. Either you're under a flood attack but not sure how,or something seriously wrong with your ISP.

Actions

This Discussion