If the Show Process CPU command displays IP INPUT Process IS Using A Lot of CPU Resources, check the following:
I. Fast Switching is disabled on a large-flow outgoing interface. You can use the show interfaces switching command to view the interface traffic. Then re-enable fast switching on the interface. Remember that fast switching is configured in the Output interface.
Second, FAST SWITCHING ON The Same Interface is DISABED. If a interface is equipped with multiple network segments (SECONDARY Addresses) and is working in the process-switches method between these network segments. In this case, it is necessary to in this case. Enable IP Route-Cache Same-Interface
Third, the package that cannot be caught by fast switched, there is no entry package, the destination is the package of the router, the package needs the protocol conversion package, making the POLICY ROUTING package, the package, MultiLink PPP, compression, and encryption The package destination is Router's package
Example: 1. Routing update information (depending on the routing protocol) Excessive update value display network unstable and adds the CPU Utilization. You can check the route table with Show IP Route
2. Other people log in to run commands lead to a large number of log output 3.spoof attack. Use the show ip traffic command to confirm that a large number of local packages can be found.
Step 2, use the show interfaces and show interfaces switching command to identify a large number of bagged ports; once you confirm that the port is entered, open the IP Accounting on the outgoing interface to see its characteristics. If it is an attack, the source address will continue to change but the destination address is not Change. You can use Access List to temporarily resolve this type of problem (it is best to configure it close to the source of the attack source), and the final solution is to stop the attack source.
4. Requires Policy Routing package. Before Cisco IOS Version 11.3, policy-routed packet cannot be used by Fast Switched. IOS Version 11.3 will allow policy-routed packets to be fast switched. Use the interface command ip route-cache policy.
The encapsulated packet via X.25, because of flow control on the second Open System Interconnection (OSI) layer7.Compressed traffic. If no Compression Service Adapter (CSA) in the router, compressed packets must be process-switched.8. Encrypted traffic. If there is no Encryption Service Adapter (ESA) in the router, Encrypted Packets Must Be Process-Switch.
9. A large number of User DataGram Protocol (UDP) traffic. You can solve the steps to solve the SPOF Attack.
10. A large number of multicast streams cross the router. Can enable Fast Switching of Multicast Packets Using The IP MROUTE-CACHE Interface Configuration Command (Fast Switching of Multicast Packets is off by default).
11. A large broadcast package. Check The Number Of Broadcast Packets in the show interfaces Command Output.12. Router is OVER-USED unable to process Amount of Traffic, you can use Load Among Other Routers or consider another high-end router.
13. The router is configured with IP Nat (Network Address Translation) and there are many DNS (Domain name system) packs through Router. UDP or TCP Packets with source and / or destination port 53 (DNS) Are ARE ALWAYS PUNTED TO Process Level by Nat.
Whether it is caused by high CPU Utilization In The IP Input Process, you can look at Debugging IP Packets. Because the CPU Utilization has been higher, many of DEBUGGING can only pass Logging Buffered and cannot logGing to a console. The DEBUGGING process should not exceed 3-5 seconds. If the suspicious source can be disconnected or filtered to the destination with ACL
