Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Bandwidth peak skyrocketting

We have some 2900xl switches, the main link is set to 100Mbytes/s and servers links are setup to 10Mbytes/s and during a DDOS using fragmented packets. During a DDOS attack, the MRTG stats on the workstations ports (10Mbytes limited on switch using the speed command) went up to ~90Mbytes by peaks.

How it is possible to exceed the speed limit? When we tried to spray for testing, we couldn't go over 10Mbytes/s.

Anyone experience this? Is it possible to bypass the 10Mbytes/s limit on one port?

Regards.

F.

4 REPLIES

Re: Bandwidth peak skyrocketting

Two obvious points but need to be asked:

-The port is indeed set to 10mbs (do a show port x/x)

-MRTG is set to bits, not bytes - In your mrtg.cfg file, is your MaxBytes[xxxxx]: 125000 or 1250000 (ethernet) or 12500000 (fast)? Are you using the "Options[xxxx]: bits"?

There is a free app called Qcheck (from NetIQ) that can measure the throughput on a link. Download it and try what it says.

If the port is 10Mbs and mrtg is set up correct, it is strange. It's not possible to exceed the practical limits - ie you can't get 110mbs on a 100Mbs link, but I guess it would be possible to get more from a 10Mbs switch port through a internal error or bug as the port and cable can go up to 100Mbs - but I haven't heard of that before.

Steve

New Member

Re: Bandwidth peak skyrocketting

Sorry, all my post is in bytes, it's bits.

The ports are indeed set up to 10Mbps and traffic was going up to 90Mbps

In mrtg config files, you have both

- Options[_]: bits

- MaxBytes[IP_Port]: 12500000

Thanks for helping.

F.

Re: Bandwidth peak skyrocketting

That's it then. Change your MaxBytes to 1250000 and you will be fine. MRTG thinks your port is 100Mbs, so it reports it as 90Mbs. Make the port 10Mbs and it will report traffic correctly as 9Mbs.

Steve

New Member

Re: Bandwidth peak skyrocketting

We made the following test.

Ping flood over 17Mbps

MaxBytes at 1250000, mrtg graph toping at 9.9Mbps

MaxBytes at 12500000, mrtg graph also toping at 9.9Mbps

So it's not a scale problem on MRTG.

During the attack that was against one host, all the ports were flooded like if the switches was behaving like a hub (forgetting the mac?).

any idea?

Thanks.

F.

87
Views
0
Helpful
4
Replies
CreatePlease to create content