We have a 3745 that has a DS3 connection into a frame cloud. Yesterday we noticed that the serial interface had almost 100% of bandwidth being used outbound. I set up netflow to see what was using it, and it wasn't consistent. I tried to block ports and servers in an acl, and I applied it inbound on the serial interface, but that didn't make a difference. The configuration for the port is here and I've bolded the lines that we're concerned with:
Serial1/0 is up, line protocol is up
Hardware is DSXPNM Serial
Description: DS3 connection for the GO
MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec,
reliability 255/255, txload 92/255, rxload 8/255
Encapsulation FRAME-RELAY IETF, crc 16, loopback not set
Keepalive set (10 sec)
LMI enq sent 5539, LMI stat recvd 5539, LMI upd recvd 0, DTE LMI up
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DSU mode 0, bandwidth 44210, real bandwidth 44210, scramble 0
a.) The DSU line that we have is a 20mb connection, but the default is 44210. The line is in the running config as "dsu bandwidth 44210", but according to Cisco is the default. I think this is primarily for calculations, and that would mean that my "tx load" would be even higher than it shows now.
b.) The tx load is almost at 100% if we take into calculation that it's around 30% now, but it "thinks" it's a 45mb pipe. If we convert that to a 20mb calculation, then the transmit rate would naturally increase to something around 225/255. (Does that make sense?)
c.) The 30 second output is at 16mb, which means that there's 16mb of data going out CONSTANT out of a 20mb connection. This isn't normal for this connection.
d.) Do I need to be concerned with the dropped packets?
Also, when we're talking about output for this interface, is that output respective of the direction? I mean if I'm sending traffic through the router from one side and it's going into my network, does that register as output as well as sending traffic out of my network?
I'm at a loss as to why there's so much traffic, and where it's coming from and I hope you guys can give me some pointers as to what's going on. This is not a new connection either by the way; this just started happening yesterday morning.
You could put the command bandwidth 20000 to verify your bandwidth use. This is mainly administrative and will be used for bandwidth calculations as well as well as routing protocols.
The output interface is what your network is sending, so it is sourced in your network. If there is a sudden increase you may want to investigate whether there is a sudden increase in demand on a server in your network, otherwise a worm or virus may have managed to find its way onto one or more workstations.
We tried to block several different ports that were coming through netflow, but there was no difference. At first we thought that the server group may have been doing upgrades, but that wasn't the case either.
If you see no load increase on any of your servers it seems likely a worm or similar has become active. Since these do not always use "known ports" it's difficult to find. If you have stats on workstations in the LAN you could use that to identify any source or sources for this increase in load.
Other than netflow, what's another really good way to determine what address is sending major traffic? I've tried ACLs that permit anything through and then changed the logging update threshold, but I just seem to get a ton of crap because of the way the connection is into the cloud.
While you might try something like IP accounting to categorize and identify the traffic, I think that NetFlow is the optimum tool for this purpose. Are you reading the NetFlow results manually on the router or are you exporting NetFlow to some device that gathers data and reports results over some time period (the better solution)?
Does the code that you are running support the NetFlow top talker functionality? If so that would be the easy way to find what is generating the most traffic.
Your original post talked about bandwidth (which is just administrative) and about dsu bandwidth which could be a controller command and if so is more than just administrative. Could you post the controller/service module (if present) and interface configuration?
I'm using the free version of Solarwinds Netflow to collect. I set up top talkers on the router, but the data isn't consistent with what I'm seeing on the output of the interface. For instance, my top 10 doesn't equal 80% of the bandwidth (all of them are maxing out at a certain kb, but only equates to about 2mb of speed). I don't have a collector that can write to a database for trending.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...