Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
3
Helpful
5
Replies

High CPU Utilisation - Routers

utl
Level 1
Level 1

‎06-09-2003 07:36 AM - edited ‎03-02-2019 07:59 AM

Hi All,

I have a setup of nearly 25 and odd 3640 routers and some 7206 routers. on 3640 router i have two ethernet interfaces. user's LAN is connected to only one interface and other one is redundant.

Problem is that when the user LAN is connected to interface CPU utilisation is more than 90% and there are lot of collisions in LAN. when i disconnect the LAN from router, it is ok.

I suspect propagation of some virus such as Nimda and Bug bear. is it Correct? if not can any of u educate me the solution for this

WBR

Manoj Reddy

Labels:
0 Helpful
5 Replies 5

deilert
Level 6
Level 6

‎06-09-2003 07:44 AM

When you turn on the FE segment enable ip accounting , this will give source & dest pairs , look for 1 packet being sent to multiple locations usually in succession that are the same byte size , usually small like 76 bytes

0 Helpful

Frederic Vanderbecq
Cisco Employee
Cisco Employee

‎06-10-2003 01:23 AM

It definitely looks like the router is being killed by traffic, maybe an attack as you suspect.

Try to identify the packets using a sniffer or IP accounting though be careful with accounting not to kill the router as the CPU is quite high already.

0 Helpful

utl
Level 1
Level 1
In response to Frederic Vanderbecq

‎06-10-2003 05:34 AM

yes some sort virus is propagating thru the network.

when checked the ip cache fo router with "sh ip cache", i found lot of invalid entries such as 10.37.112.1,10.37.112.2,10.37.112.3.....

the list goes on like that. but that 10.37.112.0 network not at all exists any where in our network.

seems like it is nimda virus .

any suggestions to restrict that at router level.

thank you

Manoj

0 Helpful

spremkumar
Level 9
Level 9
In response to utl

‎06-10-2003 08:11 AM

hi manoj

if u r sure thats due to Nimda virus then find out the extension of files thru which its affecting and creating unecessary traffic..

then u can create a class map ,policy map in which u can block the files with the extension used by Nimda.

bind the same map on u r FE.

I havent tried this yet but hope this may help u ..

Class-map match-any virus-files

match protocol http url "*xxxx.ext*"

policy-map mark-virus

class virus-files

set ip dscp 1

interface fastethernet 0

service-policy input mark-virus

but now a days we r seeing n number of viruses daily for which we cant block all of them...

regds

prem

utl
Level 1
Level 1
In response to spremkumar

‎06-11-2003 06:04 AM

i have even done that.

but the CPU uitilization is still high. its coming to normal position when i disconnect the particular hosts, broadcosting virus from the LAN.

able to find out the culprit systems in LAN using a packet sniffer.

thank u for ur reply prem

Manoj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents