其他令人惊讶的事情是,服务器仅通过LAN网络与之通信,但为什么路由器CPU利用率却增加了?如果发现缺少或配置过多,请共享路由器配置,这有助于更好地理解。非常感谢您的建议。
Current configuration : 6715 bytes
!
! Last configuration change at 09:16:50 IST Fri Nov 2 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MUMBAI-NSE
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T4.bin
boot-end-marker
!
!
no logging on
!
no aaa new-model
clock timezone IST 5 30
!
no ipv6 cef
!
!
!
ip multicast-routing
!
!
ip flow-cache timeout active 1
ip cef
multilink bundle-name authenticated
!
no mpls ip
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL151912YC
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
ip ftp username itsdc
ip ftp password jhjytg
!
class-map match-all SQOS
match access-group name sgx
class-map match-all qos2
match access-group name file
class-map match-all other
match access-group 121
class-map match-all qos
match access-group 120
!
!
policy-map FILE
class qos2
bandwidth 800
policy-map BQOS
class qos
bandwidth 40000
queue-limit 1000 packets
class other
bandwidth 5000
queue-limit 10 packets
policy-map SQOS
class SQOS
priority level 1
class other
priority level 2
policy-map SGX
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description NSE-BSE
ip address 172.16.18.2 255.255.255.252
ip pim sparse-dense-mode
ip flow ingress
ip flow egress
ip ospf dead-interval minimal hello-multiplier 3
load-interval 30
duplex auto
speed 100
service-policy output BQOS
!
interface GigabitEthernet0/1
description NSE-GGN
ip address 10.95.253.81 255.255.255.252
ip pim sparse-dense-mode
ip flow ingress
ip flow egress
ip ospf dead-interval minimal hello-multiplier 3
load-interval 30
duplex full
speed auto
service-policy output BQOS
!
interface GigabitEthernet0/2
description LOCAL-LAN
ip address 172.25.40.100 255.255.0.0
ip access-group 101 in
ip accounting output-packets
ip pim sparse-dense-mode
ip flow ingress
ip flow egress
ip virtual-reassembly in
ip route-cache same-interface
ip route-cache policy
duplex auto
speed auto
!
interface FastEthernet0/0/0
description NSE-DGCX
ip address 172.16.26.1 255.255.255.0
ip access-group 130 in
ip pim sparse-dense-mode
ip flow ingress
ip flow egress
ip ospf dead-interval minimal hello-multiplier 3
load-interval 30
duplex auto
speed auto
service-policy output SQOS
!
interface FastEthernet0/1/0
description NSE-MCX
ip address 172.16.20.1 255.255.255.0
ip ospf dead-interval minimal hello-multiplier 3
duplex auto
speed auto
!
interface FastEthernet0/1/1
description NSE-SGX
ip address 172.16.27.1 255.255.255.0
ip ospf dead-interval minimal hello-multiplier 3
duplex auto
speed auto
!
interface FastEthernet0/2/0
description NSE-CME
ip address xx.xx.75.xx 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/2/1
no ip address
shutdown
duplex auto
speed auto
!
!
router ospf 2
network 10.95.253.81 0.0.0.0 area 0
network 172.16.18.0 0.0.0.3 area 0
network 172.16.20.0 0.0.0.3 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.23.0 0.0.0.3 area 0
network 172.16.26.0 0.0.0.255 area 0
network 172.16.27.0 0.0.0.255 area 0
network 172.25.0.0 0.0.255.255 area 0
network 192.168.16.0 0.0.0.255 area 0
network 192.168.150.0 0.0.0.255 area 0
maximum-paths 2
!
ip forward-protocol nd
!
ip pim rp-address 10.95.25.82
ip pim autorp listener
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export template timeout-rate 1
ip flow-export destination 191.191.191.52 9996
ip flow-top-talkers
top 40
sort-by bytes
cache-timeout 20000
!
ip route xx.xx.7.0 255.255.255.252 172.16.2.2
ip route xx.xx.7.0 255.255.255.248 1.29.7.11
ip route 10.29.7.0 255.255.255.0 1.29.7.11
ip route 192.168.1.10 255.255.255.255 10.95.25.82
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.6.0 255.255.255.0 10.95.25.82
!
ip access-list extended file
permit tcp any any eq 445
ip access-list extended other
deny udp any any eq 45000
deny udp any any eq 45002
deny udp any any eq 45003
permit ip any any
ip access-list extended sgx
permit udp any any eq 45000
permit udp any any eq 45002
permit udp any any eq 45003
permit tcp any any eq 1801
!
no logging trap
access-list 101 deny udp any any eq 9999
access-list 101 deny udp any any eq 34074
access-list 101 deny udp any any eq 34330
access-list 101 deny udp any any eq 34586
access-list 101 deny udp any any eq 5450
access-list 101 deny udp any any eq 5440
access-list 101 deny udp any any eq 45446 log
access-list 101 deny udp any any eq 80 log
access-list 101 deny udp any any eq 17742 log
access-list 101 deny udp any any eq 50554 log
access-list 101 deny udp any any eq 56955 log
access-list 101 permit ip any any
access-list 110 deny tcp any any eq 3389
access-list 110 deny tcp any any eq 445
access-list 110 permit ip any any
access-list 120 deny ip host 172.25.45.21 any
access-list 120 deny ip host 172.25.45.52 any
access-list 120 deny ip host 172.25.45.18 any
access-list 120 deny ip host 172.25.45.18 any
access-list 120 permit ip any any
access-list 120 deny tcp any any log
access-list 120 deny udp any any log
access-list 120 deny ip host 172.25.45.3 any
access-list 121 deny udp any any eq 45000
access-list 121 deny udp any any eq 45002
access-list 121 deny udp any any eq 45003
access-list 121 permit ip any any
access-list 121 permit ip host 172.25.45.5 any
access-list 121 permit ip host 172.25.45.21 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit udp any any
access-list 121 permit udp any any eq 45000
access-list 121 permit udp any any eq 45002
access-list 121 permit udp any any eq 45003
access-list 121 deny udp any any log
access-list 121 deny ip host 172.25.45.8 any
access-list 130 deny udp any any eq 9999
access-list 130 deny udp any any eq 34463
access-list 130 permit ip any any
access-list dynamic-extended
!
!
!
!
!
snmp-server community public RW
snmp-server ifindex persist
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
line vty 5 10
login
transport input all
!
scheduler allocate 20000 1000
end
#1 楼
如果不查看数据包捕获,网络体系结构等,这是一个很难回答的问题。您实际上无法制定策略或采取任何会丢帧的措施(因为它们在OSI模型的第2层进行路由)。但是,可能会发生一些事情:广播风暴-可能有一个交换机上行到另一个未启用STP的交换机。此交换循环可能导致广播的数据包在已经看到该消息的路径上重新传输。建议不要在与ISR(访问路由器)与关键系统接口的同一路由器上具有4个/ 24s和一个/ 16。我建议使用更合适的核心路由器或校园网络设计。这等同于获得本田思域,想知道为什么您在与法拉利的比赛中表现不佳。您正在将ISR路由器用于本不应该做的事情。
评论
您需要分析传入流量(例如数据包捕获)以找到源。然后,您可以将其关闭或过滤。首先不应该允许“垃圾邮件”流量,您可以允许“垃圾邮件”流量并拒绝其他所有内容。为了帮助我们,请包括“ show process cpu | e 0.00”和“ show logging buffered”的输出,这将向我们提示导致问题的原因。我怀疑是多播,因为UDP不太可能导致CPU峰值。
是否有可能在未配置PIM的接口上接收多播?
看起来您似乎在遇到OSPF收敛问题。遇到类似ip ospf dead-interval Minimum hello-multiplier这样的问题,绝对会提高CPU利用率,并且可能导致OSPF在整个区域反弹。
对于ip flow,请选择ingres或egres。正如Ron Maupin已经提到的,ip ospf死间隔也将导致较高的CPU。如果需要快速收敛,请改用BFD。