[nsp] Cisco 2500 Traffic Limit and high cpu utilization.
Mehmet Ali Suzen
msuzen at mail.north-cyprus.net
Mon Mar 8 12:57:31 EST 2004
Hi,
IOS version we are dealing is IOS version 12.1(20)
Interfaces consist of ethernet, serial and
group async. A LAN and dialups took gateway as this
router. We have a large ACL on each interaface.
It works fine. In busy times out load gets significantly
high. I tried to enable ip cef, but it didn't work it out.
What could went wrong? I will appriciate for any comment
or an idea.
-Mehmet
PS: My config
!
! Last configuration change at 15:07:30 GMT Thu Feb 4 2004
! NVRAM config last updated at 20:14:11 GMT Thu Feb 4 2004
!
version 12.1
no service single-slot-reload-enable
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mehmets_router
!
no logging console
no logging monitor
aaa new-model
aaa authentication login login line
aaa authentication ppp rad group radius
aaa authorization network rad group radius
aaa accounting network rad wait-start group radius
!
!
!
!
!
clock timezone EET 2
clock summer-time EET recurring
ip subnet-zero
no ip source-route
ip wccp version 1
ip wccp web-cache redirect-list 120
ip finger
ip tcp selective-ack
ip tcp chunk-size 80
ip tcp mss 1460
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip name-server 192.168.0.3
!
ip address-pool local
!
!
!
interface Loopback0
ip address 192.168.0.254 255.255.255.255
no ip redirects
no ip mroute-cache
!
interface Null0
no ip unreachables
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.0.129 255.255.255.192 secondary
ip address 192.168.0.1 255.255.255.128
ip access-group 180 in
ip access-group 195 out
no ip redirects
no ip unreachables
ip nat inside
ip route-cache policy
ip route-cache flow
no ip mroute-cache
no keepalive
random-detect
random-detect flow
no cdp enable
!
interface Serial0
no ip address
ip access-group 180 in
ip access-group 195 out
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay IETF
ip route-cache policy
ip route-cache flow
no ip mroute-cache
random-detect
random-detect flow
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description TTnet PVC 100
ip address 192.168.0.94 255.255.255.252
ip access-group 180 in
ip access-group 195 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect out
ip nat outside
no ip route-cache same-interface
no cdp enable
frame-relay interface-dlci 100
!
interface Serial1
description Satko Rx-only Unused
bandwidth 192
ip unnumbered Loopback0
ip access-group 170 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect out
ip route-cache policy
no ip mroute-cache
load-interval 30
no keepalive
ignore-dcd
no cdp enable
!
interface Async17
no ip address
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
ip unnumbered Ethernet0
ip access-group 180 in
ip access-group 195 out
no ip redirects
encapsulation ppp
no ip route-cache same-interface
ip route-cache flow
no ip mroute-cache
async mode interactive
peer default ip address pool default
no cdp enable
ppp authentication pap rad
ppp authorization rad
ppp accounting rad
group-range 1 16
!
ip local pool default 192.168.0.32 192.168.0.47
ip nat inside source list 10 interface Serial0.1 overload
ip classless
no ip forward-protocol nd
no ip forward-protocol udp bootps
no ip forward-protocol udp bootpc
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route 0.0.0.0 0.0.0.0 Null0 255
ip route 192.168.0.128 255.255.255.192 Ethernet0
ip route 192.168.0.0 255.255.255.128 Ethernet0
no ip http server
!
!
ip access-list extended denyfinger
deny tcp any any eq finger
permit ip any any
logging facility local0
logging source-interface Ethernet0
logging 192.168.0.3
access-list 5 permit 192.168.0.3
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any any log
access-list 110 deny tcp any any neq www
access-list 110 permit tcp any any
access-list 120 deny ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip any any
access-list 150 deny ip any host 213.166.21.134
access-list 150 permit ip any any
access-list 170 permit ip any any
access-list 170 deny icmp any any redirect
access-list 180 deny ip 0.0.0.0 1.255.255.255 any
access-list 180 deny ip 127.0.0.0 0.255.255.255 any
access-list 180 deny ip 10.0.0.0 0.255.255.255 any
access-list 180 deny ip 172.16.0.0 0.15.255.255 any
access-list 180 deny ip 192.168.0.0 0.0.255.255 any
access-list 180 deny ip host 0.0.0.0 any
access-list 180 deny udp any any range 0 19
access-list 180 deny tcp any any range 161 162
access-list 180 permit udp host 192.168.0.3 any range snmp snmptrap
access-list 180 deny udp any any range snmp snmptrap
access-list 180 deny tcp any any eq 199
access-list 180 deny udp any any eq 199
access-list 180 deny tcp any any eq 391
access-list 180 deny udp any any eq 391
access-list 180 deny tcp any any eq 705
access-list 180 deny udp any any eq 705
access-list 180 deny tcp any any eq 1993
access-list 180 deny udp any any eq 1993
access-list 180 deny udp any any range bootps tftp
access-list 180 deny tcp any any range 67 69
access-list 180 deny tcp any any eq 445
access-list 180 deny udp any any eq 445
access-list 180 deny tcp any any eq sunrpc
access-list 180 deny udp any any eq sunrpc
access-list 180 deny tcp any any range 511 lpd
access-list 180 deny udp any any range 511 515
access-list 180 permit icmp host 192.168.0.3 any
access-list 180 permit icmp host 195.175.32.93 any
access-list 180 permit icmp host 195.175.10.58 any
access-list 180 deny icmp any any
access-list 180 deny ip 0.0.0.0 255.255.255.0 any
access-list 180 deny ip 192.168.0.0 0.0.0.128 any
access-list 180 deny ip 192.168.0.0 0.0.0.192 any
access-list 180 deny 55 any any
access-list 180 deny 77 any any
access-list 180 deny udp any any eq 79
access-list 180 permit tcp host 192.168.0.3 any eq finger
access-list 180 permit udp host 192.168.0.3 any eq 23
access-list 180 permit tcp host 192.168.0.3 any eq telnet
access-list 180 deny tcp any any eq finger
access-list 180 deny udp any any eq 23
access-list 180 deny tcp any any eq telnet
access-list 180 deny pim any any
access-list 180 deny udp any any range bootps bootpc
access-list 180 deny tcp any any eq 135
access-list 180 deny udp any any eq 135
access-list 180 deny tcp any any range 137 139
access-list 180 deny udp any any range netbios-ns netbios-ss
access-list 180 deny tcp any any eq lpd
access-list 180 deny tcp any any eq 1080
access-list 180 deny udp any any eq 1080
access-list 180 deny udp any any range 1433 1434
access-list 180 deny tcp any any eq 1900
access-list 180 deny udp any any eq 1900
access-list 180 deny tcp any any eq 5000
access-list 180 deny tcp any any range 1024 1029
access-list 180 deny udp any any range 1024 1029
access-list 180 permit ip any any
access-list 190 permit ip 192.168.0.0 0.0.0.128 any
access-list 190 permit ip 192.168.0.0 0.0.0.192 any
access-list 190 deny ip any any
access-list 195 deny ip host 81.22.33.114 any
access-list 195 deny ip host 80.133.99.99 any
access-list 195 deny ip 10.0.0.0 0.255.255.255 any
access-list 195 deny ip 127.0.0.0 0.255.255.255 any
access-list 195 deny ip 172.16.0.0 0.15.255.255 any
access-list 195 deny ip 192.168.0.0 0.0.255.255 any
access-list 195 deny 55 any any
access-list 195 deny 77 any any
access-list 195 deny pim any any
access-list 195 deny udp any any range bootps bootpc
access-list 195 deny tcp any any eq 135
access-list 195 deny udp any any eq 135
access-list 195 deny tcp any any range 137 139
access-list 195 deny udp any any range netbios-ns netbios-ss
access-list 195 deny tcp any any eq lpd
access-list 195 deny tcp any any eq 1080
access-list 195 deny udp any any eq 1080
access-list 195 deny udp any any range 1433 1434
access-list 195 deny tcp any any eq 1900
access-list 195 deny udp any any eq 1900
access-list 195 deny tcp any any eq 5000
access-list 195 deny tcp any any range 1024 1029
access-list 195 deny udp any any range 1024 1029
access-list 195 permit icmp host 192.168.0.3 any
access-list 195 permit icmp host 195.175.32.93 any
access-list 195 permit icmp host 195.175.10.58 any
access-list 195 deny icmp any any
access-list 195 permit ip any any
no cdp run
route-map proxyredir permit 10
match ip address 110
set ip next-hop 192.168.0.4
!
snmp-server engineID local 000
On Mon, Mar 08, 2004 at 09:01:19AM -0500, Streiner, Justin wrote:
> On Mon, 8 Mar 2004, Mehmet Ali Suzen wrote:
>
> > Thanks for the tips, indeed. I have already tried NetFlow before,
> > but when I enable cef, router begins to malfunction. I don't
> > know what is wrong? Are there any conflict with the other
> > switching mechanisms or service?
>
> The stability of CEF depends greatly on the version of IOS you're running
> on your router. Many versions of code, such as some 12.0 or 12.0T
> releases had some nasty CEF bugs. The later 12.1 IP releases seem to be
> pretty stable, at least they have been for me. Your experience may differ
> depending on what protocols, services, etc. you run on the router.
>
> jms
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list