通过路由器CPU利用率分析网络流量
Router#show proc cpuCPU utilization for five seconds: 63%/50%; one minute: 58%; five minutes: 58
%
PIDRuntime(ms)InvokeduSecs 5Sec 1Min 5Min TTY Process
1 4976 54773 90 0.00%0.00%0.00% 0 Load Meter
2 3788 670 5653 1.71%0.22%0.15% 130 Virtual Exec
24 3592 632 5683 0.00%0.04%0.09% 131 Virtual Exec
25 10186842430627416 3326 8.76%9.04% 10.41% 0 IP Input
CPU utilization for five seconds: 63%/50%
50%是指由于Interrupt switching 导致的CPU utilization, 所谓的Interrupt switch
ing 也就是指所有除了process switching 的交换方式,例如fast switching, optimu
m switching, cef switching....所产生的CPU负载
Average utilization due to interrupts, during last five seconds
63%指的是最近5秒的CPU utilization总和,包括(interrupts + processes)
Average total utilization during last five seconds (interrupts + processes)
用63%-50%=13%, 这13%是基本由于process switching导致的CPU消耗,理解Cisco 路由
器交换方式的人都知道,有一些流量路由器是必须使用process switching,例如icmp,
也就ping, snmp等都是必须使用process switching
通常看来,如果打开了cef switching但是process switching部分的cpu utilization(
63%-50%=13%)非常高,很可能目前情况不太正常,,因为如果打开cef的话,基本上除
了icmp, snmp等类型的包外,都应该采用cef switching,但这部分差值由谁导致的,就
要看show process cpu了, 从上面的例子可以看出来:
PIDRuntime(ms)InvokeduSecs 5Sec 1Min 5Min TTY Process
25 10186842430627416 3326 8.76%9.04% 10.41% 0 IP Input
由于此路由器已经打开了cef,但为什么还有这么多的IP Input流量是通过process swi
tching处理呢?
使用showinterface state可以看到每个接口不同swiching方式产生的流量,如果某个
接口的process部分很高,那很可能问题就出在这个端口。
Router#show interfaces stat
FastEthernet0/0
Switching path Pkts In Chars In Pkts OutChars Out
Processor 7995038553590227 8470311629922225
Route cache 42017034 3042361084 47856422 3952941601
Total 50012072 3595951311 56326733287896530
FastEthernet1/0
Switching path Pkts In Chars In Pkts OutChars Out
Processor 1478297178528355 1007368101120880
Route cache 46470310 3666895196 40629605 2756450367
Total 47948607 3845423551 41636973 2857571247
使用show ip traffic命令来确认到底是那一种流量过大。
从下例中可以看出, 几个不太正常的地:
1.在ICMP中有321413 unreachable,2263321 echo reply,很明显路由器响应的ICMP太
多了,如果每隔几秒都有数量增加,建议在接口状态下关掉IMCP redirects, unreacha
ble以及echo reply,这些只会增加CPU负担。
interface xxxx
no ip redirects
no ip unreachables
...
2.在UDP statistics中:
Rcvd: 7112 total, 0 checksum errors, 21093 no port
大量的no port就不太正常了,一般都是由于某些hacker软件扫描端口造成的, 如果每
隔几秒都有数量增加,建议关掉proxy-arp
interface xxx
no ip proxy-arp
3. 在IP statistics,有89518 bad hop count,这一般是由于TTL过期导致的,如果每
隔几秒都有大量计数增加,很明显,网络中存在routing loop,尽快检查你的数据配置
或是询问你的ISP怎么给你做的路由。
Router#show ip traffic
IP statistics:
Rcvd:190022549 total, 13327 local destination
2 format errors, 0 checksum errors, 89518 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts:0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
6583 fragmented, 0 couldn't fragment
Bcast: 2433 received, 77 sent
Mcast: 0 received, 0 sent
Sent:100452 generated, 99773529 forwarded
Drop:430 encapsulation failed, 1479 unresolved, 0 no adjacency
3606 no route, 0 unicast RPF, 0 forced drop
ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 321413 unreachable
2281 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
Sent: 0 redirects, 4 unreachable, 0 echo, 2263321 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp
0 info reply, 89517 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements
UDP statistics:
Rcvd: 7112 total, 0 checksum errors, 21093 no port
Sent: 5883 total, 0 forwarded broadcasts
TCP statistics:
Rcvd: 3935 total, 0 checksum errors, 4 no port
Sent: 2788 total
{:6_290:}{:6_290:}{:6_290:} {:6_290:}{:6_290:}
页:
[1]