How to examine ip traffic alerts

Unanswered Question
Feb 18th, 2010

We're checking a 3750 switch for issues and we ran the command "show ip traffic".  Under the IP statistics, it shows alerts.  Does anyone know how to examine these alerts and see what they are?  See the output below:

FOR_GA293_3750SFPstk_Gr1#show ip traffic
IP statistics:
  Rcvd:  2203803 total, 354127 local destination
         0 format errors, 0 checksum errors, 0 bad hop count
         0 unknown protocol, 1843512 not a gateway
         0 security failures, 0 bad options, 1069112 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 1069112 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 couldn't fragment
  Bcast: 328776 received, 1 sent
  Mcast: 0 received, 0 sent
  Sent:  25617 generated, 6885 forwarded
  Drop:  53 encapsulation failed, 0 unresolved, 0 no adjacency
         0 no route, 0 unicast RPF, 0 forced drop
         0 options denied, 0 source IP address zero


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
xcz504d1114 Thu, 02/18/2010 - 08:16

Notice the number of alerts matches the number of IP packets that were sent with "Options".

An alert does not mean anything except "you may want to look at this" and respectively "you many not".

An example of some types of traffic that are using IP options, RSVP, MPLS, IGMPv2, IP options can be used in some forms of DOS attacks, but they are also used in normal traffic.

If you are 100% sure you don't have traffic using ip options, you con configure the "ip options drop" command in global configuration, again emphasis on it is an alert, menaing you may or may not be concerned with it.

Setting up a SPAN and looking at the traffic is probably the best way to be 100% certain of the information.




This Discussion

Related Content