Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

3550 high CPU usage randomly, ssh attack?

Hello everyone,

I have searched the forums but come up empty so far. I have a 3550 colocated with 5 machines currently connected, pushing only about 20mbit 95%. I have an etherchannel connection on the gbit uplinks to the data centers 3560. While i havent really been noticing any strange behavior on the connected machines yet looking at the snmp cpu graphs is a bit disturbing when i see cpu usage hitting 70% while traffic is less than 1mbit at the time. Any help is greatly appreciated this is my first cisco device and im unsure if the switch is being attacked or there is some other missconfiguration?

running config:

show processes cpu history:

sh proc cpu | exclude 0.0:

Just as i was running that ssh process jumped up, im not sure if it's because im connected via ssh or not, however subsequent runs it dropped down to less than 1%

Assuming there is nothing glaringly wrong with my switch configuration is it safe to assume ssh is being attacked and causing the load? Would creating an acl to only allow the connected machines to connect via ssh solve that problem? Thank you again for any help and please excuse my ignorance this is my first cisco device.

New Member

Re: 3550 high CPU usage randomly, ssh attack?


Do you have a public IP on your 3550 (most probably not, but just in case...)? If I connect a router to a publc IP, I get immediately a lot of SSH dictionary attacks, however, it's not burning the processor.

Actually, could be a lot of stuff - here's what comes into my mind:

You can use bpdu guard in conjunction with the portfast feature, because it helps to prevent loops (if it will see a loop (bpdu packet), it will shut down the port and you will get the guilty person:))

What do you see in show mac address-table?


New Member

Re: 3550 high CPU usage randomly, ssh attack?


Thank you for the reply, yes the switch does have public facing IP's it is colocated in a data center so the first IP of every vlan is reachable. I'm sorry for my ignorance as i've never heard of bpdu but if it shuts down ports as you say would this disrupt service? Also the only mac addresses i see are of my connected machines and the switch on the other end of the uplinks.

Cisco Employee

Re: 3550 high CPU usage randomly, ssh attack?


Generally when you connect to the switch via SSH, the CPU utilization will rise depending upon the type of activity you are performing on the switch. If you are executing any commands like "show tech" or "show run" that require the switch to push quite a bit of data to the ssh console, then the CPU util might increase to some extent. It is a better idea to block SSH access to external (internet) devices as it will protect your switch from any attacks.

Hope this helps.



CreatePlease to create content