Hi Gary,
my scenario is:
LAN <--Fiber uplink VLAN 14 -> Core <- VLAN 14 untagged my ntop |
I'm in one untagged port of Core (D-Link 6500) in the same vlan. It's
not a mirror, just in vlan 14 without any IP address.
As I said in my last email, i'm not worried about what's the source of
storm, but how to use ntop to detect before users :)
Thanks
Jeronimo
Gary Gatten escreveu:
> Malware on the system? Bad NIC hardware? Many things are possible including
> bridging loop. Depending on your switch architecture there are usually
> things you can implement on the distribution and core layers to mitigate the
> impact of these issues. If you have Cisco stuff I could help, if something
> else I can't help much.
>
> Depending where your nTop box is placed (logically) and how it's actually
> seeing the traffic impacts what it can report on; Ie: mirrored uplinks?
> Mirrored access ports? Mirrored VLANs? Shared hub?
>
> Also, what version of STP are you running? PVST+, RSTP, MST?
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz
> Sent: Monday, April 14, 2008 12:56 PM
> To: [email protected]
> Subject: Re: [Ntop] NTOP against Broadcast Storms
>
> Hi Jerônimo,
>
> There is no reason a computer could send 11K packets of ARP, except
> there is a switching loop there.
>
> Say, do you use in your network those small and cheap switches, said,
> DLink DES-1008, Encore ENL-901NWay, etc.?
>
> When these devices are installed directly on user's rooms, it's easy
> that the users change the way the cables are mounted, and create
> switching loops. I passed this problem myself...
>
> PS/Off-topic: Sou do Rio de Janeiro, se quiser posso te ajudar a
> identificar o ponto onde está acontecendo esse loop.
>
> 2008/4/14, Jerônimo Bezerra <[EMAIL PROTECTED]>:
>
>> Hello All,
>>
>> i'm sorry for comma, my intention was tell 11 000 pps :) Follow my scenario:
>>
>> 80 VLANs and each of then with 100 until 600 computers;
>> my ntop's NIC is tagged to 3 vlans ( 14, 145, 137 );
>> some unmanaged switchs, some hubs, e some managed switchs on each vlan;
>>
>> In one vlan ( 145 ) one computer was sending 11 000 pps of ARP
>> broadcast, and my ntop was telling me just 300 pps. That's my question:
>> why 300 pps?
>> My core router was 99% of CPU.
>>
>> Jeronimo
>>
>> Graeme Fowler escreveu:
>>
>>
>>> On Mon, 2008-04-14 at 11:06 -0500, Gary Gatten wrote:
>>>
>> >
>> >> 11 or 100 pps is nothing - not even close to anything to worry about. A
>> 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control
>> features default to several thousand pps, so really - 11 or a 100 is a tiny
>> fraction of a percent or available bandwidth.
>> >>
>> >
>> > I think Jeronimo's email ost a bit in translation - it was 11kpps,
>> > phrased as "11.000 pps". Not every written language uses a comma as a
>> > decimal separator for positive powers of ten :)
>> >
>> >
>> >> Switching Loops don't cause broadcast storms. If there is a loop it
>> won't be found looking for excessive broadcasts.
>> >>
>> >
>> > Loops in ethernet networks cause all manner of lunacy, because they
>> > amplify anything that isn't unicast. After some time (depending on
>> > hardware), they amplify unicast too as the L2 devices involved age out
>> > or conflict out their MAC tables; once most switches see MAC addresses
>> > on several ports they can get a little confused!
>> >
>> > Jeronimo - you gave no indication of your network topology, and only a
>> > vague description of what happened so it's tricky to tell you why you
>> > didn't see the problem with ntop.
>> >
>> > Graeme
>> >
>> > _______________________________________________
>> > Ntop mailing list
>> > [email protected]
>> > http://listgateway.unipi.it/mailman/listinfo/ntop
>> >
>>
>> _______________________________________________
>> Ntop mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
>
>
> <font size="1">
> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
> 0in 1.0pt 0in'>
> </div>
> "This email is intended to be reviewed by only the intended recipient
> and may contain information that is privileged and/or confidential.
> If you are not the intended recipient, you are hereby notified that
> any review, use, dissemination, disclosure or copying of this email
> and its attachments, if any, is strictly prohibited. If you have
> received this email in error, please immediately notify the sender by
> return email and delete this email from your system."
> </font>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
