When issue occurring, there is very large output flow under each interface of the same vsi ,especially under G1/0/5 and G1/0/6 of edg1 and G1/0/5 and G1/0/6 and G2/0/5 of core1 NE40E. so large flow affected the service system under the core1 NE40E.
Topo and all the flow graph as attachment “Abnormal flow enter the network and generate large output flow affecting the vsi service”.
1.Find the point where the abnormal flow entering the network.
Why all the interface have large output flow but no large input flow?
From the interface flow graph, we can find G1/0/9 on edge1 connecting to core1 NE40E and has abnormal output flow on last Friday and this Monday .
So the abnormal traffic should start form edge1 NE40E.
And this traffic was forwarded to core NE40E's interface connecting to service system. So service was affected.
2.Find the interface from which the abnormal flow entering the network.
From the graph of G1/0/5 and G1/0/6, we can find that, there is only burst input flow under G1/0/6 when there is large output flow of each interface, and it's the only interface which has the abnormal input flow.
Why there is so large output flow when there is little burst input flow?
Form the config of the edge and core1 NE40E, we can find there is many vsi binding under interface G1/0/6's sub-interface, such as 52 sub-interfaces binding TakaheISCH, 16 sub-interfaces binding TakaheCHDCN1, and 9 sub-interfaces binding TakaheCHDCN2.
If some unknow unicast, multicast or broadcast flow entered the network through some sub-interface, it will be forwarded to every sub-interface binding with the same vsi, so large output traffic will be generated under main interface.
There should be abnormal traffic entered the network, because NE40E cannot generated so large traffic by itself.
broadcase-suppression is suggested to be used under the sub-interface on site.