如何处理CISCO路由器CPU利用率高的问题。。急。。。

terrance

可否具体讲一下？？如何？？？

思一克

我经历过。
SHOW PROCESS CPU
许多参数都大于80%。
是内部网络上有电脑中了病毒。不断发包导致。

fengleiniao

就是有内网的计算机中毒了

左看又看

先clear arp,把不存在的条目清掉，在过一段时间在sh arp看看，另外，在端口上用ip accounting outputpackets命令，再在全局模式下sh ip accou看看倒底是什么数据包。

思一克

用NETXRAY可以看到胡乱发包的罪魁祸手

yetian

sh arp显示
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  *.*.*.*         11   00e0.fc04.151d  ARPA   FastEthernet2/0
Internet  *.*.*.*            -   0002.16de.e1e0  ARPA   FastEthernet2/0
Internet  *.*.*.*          238   00b0.6481.3200  ARPA   FastEthernet2/0
Internet  *.*.*.*          1   0002.7e25.abb8  ARPA   FastEthernet2/0

其中有什么问题吗？

fanyaoming

怀疑中了冲击波病毒，可使用如下方式检查
Detection
Using IOS with NetFlow Enabled to Detect Infected Hosts
NetFlow can be a powerful tool to help identify infected hosts. NetFlow must be enabled on an interface with the command IP route-cache flow. The following example shows infected hosts scanning IP address space by using ICMP type 8 packets.

Router>;show ip cache flow | include 0000 0800
   
    SrcIf      SrcIPaddress    DstIf    DstIPaddress  Pr SrcP DstP    Pkts
   
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.119  01 0000 0800    1
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.169  01 0000 0800    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.63   01 0000 0800    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.111  01 0000 0800    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.95   01 0000 0800    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.79   01 0000 0800    1

Using CatOS with Sup2 and MLS to Detect Infected Hosts
MLS statistics can help track down infected hosts. NetFlow should be enabled in full flow to see source and destination ports, as in the following example, which shows traffic sourced from infected hosts attempting to detect potential target systems through ICMP.

Router>;(enable)set mls flow full  
    Router>;show mls statistics entry protocol icmp
   
                                      Last    Used
    Destination IP   Source IP       Prot  DstPrt SrcPrt Stat-Pkts  Stat-Bytes
    ---------------- --------------- ----- ------ ------ --------- -----------
      XX.XX.XX.28     XX.XX.XX.10    ICMP  0      0       0          0
      XX.XX.XX.58     XX.XX.XX.28    ICMP  0      0       0          0
      XX.XX.XX.141    XX.XX.XX.223   ICMP  0      0       0          0
      XX.XX.XX.189    XX.XX.XX.1     ICMP  0      0       0          0
      XX.XX.XX.12     XX.XX.XX.19    ICMP  0      0       0          0
      XX.XX.XX.245    XX.XX.XX.137   ICMP  0      0       0          0
      XX.XX.XX.29     XX.XX.XX.22    ICMP  0      0
如是加ACL把ICMP禁掉。
access-list 115 permit icmp any any echo
access-list 115 permit icmp any any echo-reply
access-list 115 permit ip any any
    interface <interface>;
    ip access-group 115 in
    ip access-group 115 out
或
The worm will attempt to send packets to random IP addresses, some of which may not exist. When that occurs, the router will reply with an ICMP unreachable packet. In some cases, replying to a large number of requests with invalid IP addresses may result in degradation of the router's performance. To prevent that from occurring, use the following command:

Router(config)# interface <interface>;
    Router(if-config)# no ip unreachables

firebird

楼上大哥的ACL是不是允许ICMP 的echo和echo-reply两种类型的包通过，其它全过滤掉了？

fengleiniao

access-list 115 deny icmp any any echo
access-list 115 deny icmp any any echo-reply
access-list 115 permit ip any any