Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MARS receiving Netflows with 0.0.0.0/0

I am sending Netflows from my 6500s to MARS. I seem to get a lot of events that have 0.0.0.0/0 as the source and a lot that show that address and port as the destination.

Are these broadcasts?

Also most of my Netflow events are "Sudden Increase in traffic to a port". I turned on Netflow processing a week ago yet a lot of the raw event still show the mean as 0.

1 REPLY
Silver

Re: MARS receiving Netflows with 0.0.0.0/0

I've been told that the "Sudden Increase in traffic to a port" means that MARS has seen a situation where the traffic to a port is more than 2 standard deviations from its normal traffic rate.

In the normal course of its operations, MARS develops a baseline of the network using Netflow. Consequently it's perfectly normal for there to be moments where you have spikes in traffic which would trigger this sort of event. It's then up to the administrator to determine if this is a false positive or not.

Hope this helps.

158
Views
0
Helpful
1
Replies