[nsp] High CPU utilization help please.

Christopher J. Wolff chris at bblabs.com
Tue Sep 16 14:40:14 EDT 2003


Hello,

I recently put a router into service (3620) that is seeing some high CPU
utilization.  I believe the CPU utilization is due to all of the
virus/trojan ACL's I have in to protect the customers.  I'm soliciting
suggestions on how to make the config less burdensome on the router but
still protect the users.  Thank you very much for your assistance.

Regards,
Christopher J. Wolff, VP, CIO
Broadband Laboratories
http://www.bblabs.com


---------------------------


version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
boot-start-marker
boot-end-marker
!
logging monitor alerts
!
clock timezone MST -7
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
no ip domain lookup
!
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
 class-map match-any icmp
  match access-group 199
!
!
 policy-map icmp
  class icmp
   police 56000 16000 16000 conform-action transmit  exceed-action drop 
!
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 ip address 111.222.333.444 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 speed 100
 full-duplex
!
interface FastEthernet1/0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet1/0.1
 encapsulation dot1Q 1 native
 ip address 111.222.333.444 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet1/0.100
 encapsulation dot1Q 100
 ip address 111.222.333.444 255.255.0.0
 ip access-group 118 in
 ip access-group 118 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
!
no ip http server
no ip http secure-server
ip classless
!
access-list 7 remark ACL for internal NAT
access-list 7 permit 10.0.0.0 0.0.255.255
access-list 118 deny   icmp any any
access-list 118 deny   udp any any eq tftp
access-list 118 deny   udp any any range 135 netbios-ss
access-list 118 deny   tcp any any range 135 139
access-list 118 deny   tcp any any eq 445
access-list 118 deny   tcp any any eq 593
access-list 118 deny   tcp any any eq 4444
access-list 118 permit ip any any
access-list 119 deny   udp any any eq tftp
access-list 119 deny   udp any any range 135 netbios-ss
access-list 119 deny   tcp any any eq 445
access-list 119 deny   tcp any any eq 593
access-list 119 deny   tcp any any eq 4444
access-list 119 permit ip any any
access-list 120 deny   udp any any eq tftp
access-list 120 deny   udp any any range 135 netbios-ss
access-list 120 deny   tcp any any range 135 139
access-list 120 deny   tcp any any eq 445
access-list 120 deny   tcp any any eq 593
access-list 120 deny   tcp any any eq 4444
access-list 120 permit ip any any
access-list 172 deny   udp any any eq 1434
access-list 172 permit ip any any
access-list 199 permit icmp any any echo
!
snmp-server community RO
snmp-server enable traps tty
!
!
!
!
!
!
!
end



More information about the cisco-nsp mailing list