Abnormal traffic analysis of voice VLAN

Phenomenon Description: In the wired network, the access layer switch, all the ports that are zoned into the Voice VLAN will show the same traffic performance, and the instantaneous traffic is very large, 30-40 MB level, the stability of the wired network has a great impact.

Device Model:

IP Phone: Avaya multiple models, to 1608 majority, call server model is unknown, because I am not responsible for call server.

Access Layer switch: Cisco Catalyst-2960-48tt-l,ios version 12.2 () SE

From the cacti figure is obvious, all the ports that are zoned into the Voice VLAN, as long as it adds power, whether your terminal is connected to the phone or the computer, or only connected to the computer, not even the phone, as long as you scored the Voice VLAN, as long as the mouth up, he will receive a lot of bags.

This makes when this phenomenon occurs, a large number of stations of the wired network congestion is particularly large, packet loss, while the switch CPU load increased, and then have a certain degree of impact on the normal operation of other VLANs.

Grab Bag:

The attachment is the. pcapng format grab, you can see a lot of from 10.19.90.30 or 10.19.90.35 sent, go to 10.19.107.x, That is, to a phone traffic h.225 retransmission traffic, his purpose MAC address is specific, so not broadcast, but each will receive, which makes me very puzzled.

Issues that need to be addressed

1) Why each device that is zoned into the Voice VLAN receives the same package.

My own guess is that Avaya's keep alive mechanism, from Keepalive mechanisms in the 4th chapter of the Avaya document in the attachment, is that if you use TCP KeepAlive, Clan sends the packet to the phone, the source TCP port is 1720, the purpose of TCP port is random, which is consistent with the capture packet content. 2nd, the content of KeepAlive h.225 is empty, which is also in line with the clutch. , the grab bag and the document are compliant.

2) If the first kind of speculation is established, how to deal with the accumulation of live pack, can reduce window time, for not reply to keep alive phone, can be quickly kicked out, and then let it force re-registration, to reduce the number of retransmissions.

Attach the caught bag:

First time caught package, Link: Http://pan.baidu.com/s/1qWuW2uS Password: g15e

Second caught bag, Link: http://pan.baidu.com/s/1kTmZlUv Password: 24GV

I didn't get a response from the Avaya engineers, but the people at the IT group said that Avaya's engineers did something, but they didn't know what to do, and it wasn't professional!

Attached to the Avaya official documentation:

https://downloads.avaya.com/css/P8/documents/100017348

Mainly in the search see "Keepalive Mechanisms" This section is good, talk about the survival mechanism.

Abnormal traffic analysis of voice VLAN