[c-nsp] huge amount of weird traffic on poin-to-point ethernet link

Primoz Jeroncic jp at softnet.si
Thu Nov 9 06:40:01 EST 2006


Hi guys

I had some weird traffic appearing on one of our ethernet links and
I have no idea how to find out source of this traffic.

But first a bit background so you can understand my scheme a bit
better.

I have main router with no default route (just BGP with full table)
and then I have connected ethernet link to another router (actually
L3 switch) where few clients are connected (on L3 ports of course).
This L3 switch has default route pointing to main router.

Ok now my problem... Ethernet utilization on main router went up to
100% and when I was checking traffic with netflow I noticed huge
amount of traffic between 172.16.6.222 and 172.16.10.101. There
were only less then 30 flows in 30mins, but there were more then
6GB of traffic between those two addresses in this time.
and
Really weird thing is, that I don't route private prefixes over this
link and none of routers (main router and L3 switches) has 172.16.0.0/12
prefix (or part of it) in its routing tables. Also there's no private
prefixes in any of my routing tables.

When I was trying to find port from which this traffic went, I noticed
there's only high utilization on link between main router and L3
switch, and none of ports to clients had some extreme traffic. Traffic
between main router and L3 switch was around 100Mbps, while all clients
connected to L3 switch together had less then 50Mbps at that time.
So it looked to me, like traffic would be generating and then somehow
bouncing between L3 switch and main router. But due to really low number
of flows it's even more weird.

Does anyone have some idea how to locate what exactly is happening?
I don't mean for backwards, but in case if it will happen in future
again. For now I routed 172.16.0.0/12 to Null0 on main router and
traffic stoped, but I still want to know what or who caused this
weird traffic.

PS: Just another info... traffic didn't go out on any other ports on
main router, so it was really just on link between main router and L3
switch.


Thanks for help in advance.

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
1236 Trzin      primoz(at)softnet.si     | for larger values of 1
Slovenija       http://flea.softnet.si/
-------------------------------------------------------------------



More information about the cisco-nsp mailing list