Teresa,
I read the email exchanges. Did Cisco resolve the matter for
you? Reading the exchanges below, that is not exactly clear.
If you were getting 4000+ packets per second very late at
night, I would tend to agree with another poster (was it
Rheinhold?) that there is possibly some form of hacking attack
going on. This also assumes that you do not have any late
night scheduled tasks that consume high bandwidth (such as an
across the wire backup). Have you put a sniffer on the wire to
see what is going on? There is a sinffer that you may want to
look at that was written in Italy for a graduate project. The
menus are in English, but the help files are in Italian:
http://netgroup-serv.polito.it/analyzer/
http://netgroup-serv.polito.it/analyzer/install/default.htm
If you are running a non-Windows platform, here is a list of
others out there:
http://www.cotse.com/tools/sniffers.htm
Just to be sure, did Cisco resolve the problem?
v/r,
Paul Werner
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
---- On Fri, 24 Aug 2001, Teresa Presutto ([EMAIL PROTECTED]) wrote:
> Hi Paul,
>
> the following is the cisco tac case story. I closed the case
just few =
> minutes ago.
> Let me know what do you think about this.
>
> Teresa
>
> Hi,
> I will be assisting you in the case that you have opened
with us at =
> Cisco TAC. Can you please send the output of "sh arp" that
you are =
> seeing along with "sh tech". Thanks.
> Hi,
> Teresa thansk for the info. An incomplete mac address means I
am not =
> getting the arp info from the host. It may be a bad nic on
the host. =
> What you can do is make a static arp on the router for that
ip address =
> with the mac address. The command will be;
> arp 172.17.1.5 arpa
> Also let me know if you can ping that address from the router.
>
> *** NOTES LOG 23-AUG-2001 13:44:57 PST, ciscodotcom, Action
Type: Action
> =
> ***=20
> Yasser,
> I tried pinging the addresses that came up in my arp cache as
=
> incomplete, but it didn't pings successfully.
> >It may be a bad nic on the host
> all the hosts in my LAN?
> By the way the situation now is a little bit different.
> I reloaded the router and now I'm in able to see all the MAC
associated
> =
> with the IP addresses in the arp cache.
> But, please, see these outputs.
> In the first "sh int eth0/1" I see=20
> 4494 collisions, 11176 deferred.
> After few seconds :
> 4497 collisions, 11184 deferred.
> Something is going wrong. Here is 22.40 (PM) nobody is
working,so not to
> =
> much traffic "should" passing through the lan...
> With my best,
> Teresa
>
>
>
> *** EMAIL OUT 23-AUG-2001 16:44:14 PSTAction Type: Email Out
***=20
>
> Hi,
> Teresa is this router connected to the switch on the ethernet
side. If =
> it is then can you verify if the switch has good entries for
the mac =
> addreses of the PC's. Also you can run "debug arp" on the
router and you
> =
> will see that the router is sending arp request but never
getting any =
> replies back.=20
> *** STATUS CHANGE 23-AUG-2001 16:44:14 PST: ***=20
>
>
> *** NOTES LOG 24-AUG-2001 01:44:32 PSTAction Type: Requeue
Reason ***=20
> current engineer unavailable
>
> *** NOTES LOG 24-AUG-2001 01:45:03 PST Action Type: ***=20
>
>
> *** CASE LOG 24-AUG-2001 06:18:25 PSTAction Type: Action
***=20
> *p*
> dialin and found cpu 100%.
> the cause is due to input queue full:
> grp_ge#sh int e0/1
> Ethernet0/1 is up, line protocol is up=20
> Hardware is AmdP2, address is 00b0.6469.4641 (bia
00b0.6469.4641)
> Description: "LAN Uffici Genova"
> Internet address is 172.17.1.33/24
> MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,=20
> reliability 255/255, txload 1/255, rxload 18/255
> Encapsulation ARPA, loopback not set
> Keepalive set (10 sec)
> ARP type: ARPA, ARP Timeout 04:00:00
> Last input 00:00:00, output 00:00:00, output hang never
> Last clearing of "show interface" counters never
> Input queue: 201/200/3150766/0 (size/max/drops/flushes);
Total output =
> drops: 0
> Queueing strategy: weighted fair
> Output queue: 0/1000/64/0 (size/max total/threshold/drops)=20
> Conversations 0/1/256 (active/max active/max total)
> Reserved Conversations 0/0 (allocated/max allocated)
> Available Bandwidth 7500 kilobits/sec
> 30 second input rate 734000 bits/sec, 1527 packets/sec
> 30 second output rate 3000 bits/sec, 5 packets/sec
> 1816505 packets input, 109294388 bytes, 0 no buffer
> Received 1801634 broadcasts, 0 runts, 0 giants, 0 throttles
> 27318 input errors, 375 CRC, 197 frame, 0 overrun, 26943
ignored
> 0 input packets with dribble condition detected
> 11191 packets output, 749513 bytes, 0 underruns(17/37/0)
> 0 output errors, 54 collisions, 2 interface resets
> 0 babbles, 0 late collision, 3027 deferred
> 0 lost carrier, 0 no carrier
> 0 output buffer failures, 0 output buffers swapped out
> grp_ge# sh controll e0/1
> Interface Ethernet0/1
> Hardware is AMD Presidio2
> ADDR: 80F78818, FASTSEND: 80029158, MCI_INDEX: 0
> DIST ROUTE ENABLED: 0
> Route Cache Flag: 11
> LADRF=3D0x0000 0x0000 0x0000 0x0000
> CSR0 =3D0x00000072, CSR3 =3D0x00001044, CSR4 =3D0x0000491D,
CSR15 =
> =3D0x00000000
> CSR80 =3D0x0000D900, CSR114=3D0x00000000, CRDA =3D0x02D3E3F0,
CXDA =
> =3D0x02D3E7E0
> BCR9 =3D0x00000001 (full-duplex)
> HW filtering information:
> Promiscuous Mode Disabled, PHY Addr Enabled, Broadcast Addr
Enabled
> PHY Addr=3D00B0.6469.4641, Multicast Filter=3D0x0000 0x0000
0x0000 =
> 0x0000
> amdp2_instance=3D0x80F7A4D8, registers=3D0x40100000,
ib=3D0x2D3E240
> rx ring entries=3D32, tx ring entries=3D64
> rxring=3D0x2D3E2A0, rxr shadow=3D0x80F7A610, rx_head=3D20,
rx_tail=3D0
> txring=3D0x2D3E4E0, txr shadow=3D0x80F7A6BC, tx_head=3D48,
tx_tail=3D48,
> =
> tx_count=3D0
> Software MAC address filter(hash:length/addr/mask/hits):
> spurious_idon=3D0, throttled=3D0, enabled=3D0, disabled=3D0
> rx_framing_err=3D0, rx_overflow_err=3D0, rx_buffer_err=3D0
> rx_bpe_err=3D0, rx_soft_overflow_err=3D0, rx_no_enp=3D0,
rx_discard=3D0
> tx_one_col_err=3D17, tx_more_col_err=3D37, tx_no_enp=3D0, =
> tx_deferred_err=3D3027
> tx_underrun_err=3D0, tx_late_collision_err=3D0,
tx_loss_carrier_err=3D0
> tx_exc_collision_err=3D0, tx_buff_err=3D0, fatal_tx_err=3D0
> hsrp_conf=3D0, need_af_check=3D0
> tx_limited=3D1(4)
> Also reload did not help, tried upgrade to 12.2(3) doesn't
help, tried =
> to use int e0/0 same behaviour.
> The switch is from lucent=20
>
> *** CASE LOG 24-AUG-2001 06:28:35 PSTAction Type: Action
***=20
> *p*
> i did a reload with no ip address and i got : Output queue
0/40, 0 =
> drops; input queue 201/200, 86371 drops
> customer will check the stack of the switch and phone back
>
> *** CASE LOG 24-AUG-2001 08:14:52 PSTAction Type: Resolution
Summary ***
> =
>
> *p*
> problem was introduced from a SUN that has been turned off
>
>
>
> =20
> ----- Original Message -----=20
> From: Paul Werner=20
> To: Teresa Presutto ; [EMAIL PROTECTED] ; =
> [EMAIL PROTECTED]=20
> Sent: Friday, August 24, 2001 5:46 PM
> Subject: Re: Re: Subject: Re: sh arp [7:17012]
>
>
> Teresa,
>
> Well, that's more information than was previously
disclosed:-) =20
> That sheds a totally different light on the matter.
>
> Maybe it might be possible to retrace the steps for all
of=20
> this. First, was everything working okay at some time in
the=20
> past? At what point did something change or go wrong?
What=20
> are the exact problems(symptoms) that exist on both the
router=20
> and the switch? Additionally, did somebody recently make
an=20
> equipment change, or change some part of the configuration?
>
> It would probably help tremendously if you could post=20
> a "sanitized" configuration of both the router and the
switch. =20
> Sanitized means that nothing identifying to your
organization,=20
> nor any passwords are remaining. It may be just a simple=20
> configuration error on one of these two devices. I can
think=20
> of at least three different possibilities that would cause
arp=20
> failures between a router and a switch. Additionally, just
to=20
> be sure, have you checked both the router and the switch
for=20
> speed and duplex settings on the port? Autonegotiation
does=20
> not work in my humble opinion. You may want to hard code
these=20
> values to the best your router will support, which is
probably=20
> 10Mbps, half duplex. Do the same on the switch port that
the=20
> router is in. Also, make sure there are no "port
security"=20
> issues on the switch. I have seen permanent mac table
entries=20
> and port security both cause a port to be isolated from
O
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17162&t=17012
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
