Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Flood protection MTU 1500 fragmented

Hello,

I've just recently been faced with a flood on a 3750 that I can't seem to handle and would greatly appreciate any help offered.

I have the following setup:

24 interface used out of 48 on a Cisco 3750.

The C3750 has unicast storm control which prevents it from faillin in case of a flood with many small packets.

All this was fain until recently when the users behind it started a flood that look like this:

1) each pachet has size=ethernet MTU=1500

2) each packet has the same ID and different offsets so they are made to look like fragmented packets

3) On my Linux border router (plugged into the C3750) with tcpdump -n -i eth1 -vvv I see:

21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

As you can see it has no udp source port or destination port in the packet header.

When this happens although the C3750 CPU is not more than 30%, all traffic that is routed through it has a loss of 80-90%.

Has anyone ever encountered this ?

Is there a way to filter it in the future ?

Any advice or some links in regard to this would be greatly appreciated.

Sorry if I have misplaced the list for problems like this.

1 REPLY
Silver

Re: Flood protection MTU 1500 fragmented

Your problem is not very clear to me. If someone is flooding your switch with strange packets, why not tell them not to do so, or even use an ACL to block that traffic from entering the switch, if you know the real source of the traffic.

Is the destination address that you see is geniune? If not, I am guessing that the high packet loss is due the fact the switch is unable to route them and is simply dropping them.

143
Views
0
Helpful
1
Replies
CreatePlease to create content