Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
4
Replies

Bandwidth peak skyrocketting

fganach
Level 1
Level 1

‎10-18-2002 01:26 PM - edited ‎03-02-2019 02:12 AM

We have some 2900xl switches, the main link is set to 100Mbytes/s and servers links are setup to 10Mbytes/s and during a DDOS using fragmented packets. During a DDOS attack, the MRTG stats on the workstations ports (10Mbytes limited on switch using the speed command) went up to ~90Mbytes by peaks.

How it is possible to exceed the speed limit? When we tried to spray for testing, we couldn't go over 10Mbytes/s.

Anyone experience this? Is it possible to bypass the 10Mbytes/s limit on one port?

Regards.

F.

Labels:
0 Helpful
4 Replies 4

steve.barlow
Level 7
Level 7

‎10-18-2002 02:54 PM

Two obvious points but need to be asked:

-The port is indeed set to 10mbs (do a show port x/x)

-MRTG is set to bits, not bytes - In your mrtg.cfg file, is your MaxBytes[xxxxx]: 125000 or 1250000 (ethernet) or 12500000 (fast)? Are you using the "Options[xxxx]: bits"?

There is a free app called Qcheck (from NetIQ) that can measure the throughput on a link. Download it and try what it says.

If the port is 10Mbs and mrtg is set up correct, it is strange. It's not possible to exceed the practical limits - ie you can't get 110mbs on a 100Mbs link, but I guess it would be possible to get more from a 10Mbs switch port through a internal error or bug as the port and cable can go up to 100Mbs - but I haven't heard of that before.

Steve

0 Helpful

fganach
Level 1
Level 1
In response to steve.barlow

‎10-21-2002 01:09 PM

Sorry, all my post is in bytes, it's bits.

The ports are indeed set up to 10Mbps and traffic was going up to 90Mbps

In mrtg config files, you have both

- Options[_]: bits

- MaxBytes[IP_Port]: 12500000

Thanks for helping.

F.

0 Helpful

steve.barlow
Level 7
Level 7
In response to fganach

‎10-21-2002 03:05 PM

That's it then. Change your MaxBytes to 1250000 and you will be fine. MRTG thinks your port is 100Mbs, so it reports it as 90Mbs. Make the port 10Mbs and it will report traffic correctly as 9Mbs.

Steve

0 Helpful

fganach
Level 1
Level 1
In response to steve.barlow

‎10-22-2002 08:40 AM

We made the following test.

Ping flood over 17Mbps

MaxBytes at 1250000, mrtg graph toping at 9.9Mbps

MaxBytes at 12500000, mrtg graph also toping at 9.9Mbps

So it's not a scale problem on MRTG.

During the attack that was against one host, all the ports were flooded like if the switches was behaving like a hub (forgetting the mac?).

any idea?

Thanks.

F.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents