One of our LANs is getting bombed by what is probably a sasser variant that jams the router (a 7-year-old 2524 w/T1 DSU/CSU)....
Port 445 was closed on the router, so we can see which workstation ip's are spewing the garbage that is trying to get out on port 445...
problem: this is a large lan, and many ip's are showing up when we do a sho log to see which workstations are hitting the port.... by tedious process of elimination we have gotten two wings of the building back up, but one very large wing with many workstations still bogs down the router when we plug in its idf to the core switch, and we're having a hard time identifying the workstation(s) that is causing the router to clog up...
3 questions: 1. how do you CLEAR on the fly the ipaccesslog that is being referred to on sho log? (other than rebooting the router)... 2. on the following log line: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.20.100.178(4406) -> 10.20.10.1(445) 1 packet WHAT is the value in parens after the workstation ip? (the other ip is the router followed by the port that is closed).... 3. will the workstation(s) that are jamming the router stand out among the others that show up that apparently are not doing harm?
mtia!
Port 445 was closed on the router, so we can see which workstation ip's are spewing the garbage that is trying to get out on port 445...
problem: this is a large lan, and many ip's are showing up when we do a sho log to see which workstations are hitting the port.... by tedious process of elimination we have gotten two wings of the building back up, but one very large wing with many workstations still bogs down the router when we plug in its idf to the core switch, and we're having a hard time identifying the workstation(s) that is causing the router to clog up...
3 questions: 1. how do you CLEAR on the fly the ipaccesslog that is being referred to on sho log? (other than rebooting the router)... 2. on the following log line: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.20.100.178(4406) -> 10.20.10.1(445) 1 packet WHAT is the value in parens after the workstation ip? (the other ip is the router followed by the port that is closed).... 3. will the workstation(s) that are jamming the router stand out among the others that show up that apparently are not doing harm?
mtia!