如何控制 Cisco Router 2911 上不需要的 UDP 流量(广播和多播)?

网络工程 路由器 多播 UDP 播送 风暴控制
2021-07-11 21:14:22

请建议,我们在路由器 2911 中获得广播或多播的 UDP 流量,这会导致路由器的 95% 以上的利用率。因此,我们在链接和业务影响方面出现了错误。公司有股票交易业务和纳秒停机时间为我们担心。请建议如何控制进入 cisco 路由器 2911 的不需要的流量?

另一个令人惊讶的事情是,服务器仅通过 LAN 网络进行通信,但为​​什么路由器 CPU 利用率增加了?共享路由器配置,如果您发现某些配置丢失或过度,这有助于更好地理解。非常感谢您的建议。 

Current configuration : 6715 bytes
!
! Last configuration change at 09:16:50 IST Fri Nov 2 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
! NVRAM config last updated at 15:08:12 IST Wed Oct 31 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MUMBAI-NSE
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T4.bin
boot-end-marker
!
!
no logging on
!
no aaa new-model
clock timezone IST 5 30
!
no ipv6 cef
!
!
!
ip multicast-routing
!
!
ip flow-cache timeout active 1
ip cef
multilink bundle-name authenticated
!
no mpls ip
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL151912YC
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
ip ftp username itsdc
ip ftp password jhjytg
!
class-map match-all SQOS
 match access-group name sgx
class-map match-all qos2
 match access-group name file
class-map match-all other
 match access-group 121
class-map match-all qos
 match access-group 120
!
!
policy-map FILE
 class qos2
  bandwidth 800
policy-map BQOS
 class qos
  bandwidth 40000
  queue-limit 1000 packets
 class other
  bandwidth 5000
  queue-limit 10 packets
policy-map SQOS
 class SQOS
  priority level 1
 class other
  priority level 2
policy-map SGX
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description NSE-BSE
 ip address 172.16.18.2 255.255.255.252
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex auto
 speed 100
 service-policy output BQOS
!
interface GigabitEthernet0/1
 description NSE-GGN
 ip address 10.95.253.81 255.255.255.252
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex full
 speed auto
 service-policy output BQOS
!
interface GigabitEthernet0/2
 description LOCAL-LAN
 ip address 172.25.40.100 255.255.0.0
 ip access-group 101 in
 ip accounting output-packets
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip virtual-reassembly in
 ip route-cache same-interface
 ip route-cache policy
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description NSE-DGCX
 ip address 172.16.26.1 255.255.255.0
 ip access-group 130 in
 ip pim sparse-dense-mode
 ip flow ingress
 ip flow egress
 ip ospf dead-interval minimal hello-multiplier 3
 load-interval 30
 duplex auto
 speed auto
 service-policy output SQOS
!
interface FastEthernet0/1/0
 description NSE-MCX
 ip address 172.16.20.1 255.255.255.0
 ip ospf dead-interval minimal hello-multiplier 3
 duplex auto
 speed auto
!
interface FastEthernet0/1/1
 description NSE-SGX
 ip address 172.16.27.1 255.255.255.0
 ip ospf dead-interval minimal hello-multiplier 3
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 description NSE-CME
 ip address xx.xx.75.xx 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/2/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
router ospf 2
 network 10.95.253.81 0.0.0.0 area 0
 network 172.16.18.0 0.0.0.3 area 0
 network 172.16.20.0 0.0.0.3 area 0
 network 172.16.20.0 0.0.0.255 area 0
 network 172.16.23.0 0.0.0.3 area 0
 network 172.16.26.0 0.0.0.255 area 0
 network 172.16.27.0 0.0.0.255 area 0
 network 172.25.0.0 0.0.255.255 area 0
 network 192.168.16.0 0.0.0.255 area 0
 network 192.168.150.0 0.0.0.255 area 0
 maximum-paths 2
!
ip forward-protocol nd
!
ip pim rp-address 10.95.25.82
ip pim autorp listener
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export template timeout-rate 1
ip flow-export destination 191.191.191.52 9996
ip flow-top-talkers
 top 40
 sort-by bytes
 cache-timeout 20000
!
ip route xx.xx.7.0 255.255.255.252 172.16.2.2
ip route xx.xx.7.0 255.255.255.248 1.29.7.11
ip route 10.29.7.0 255.255.255.0 1.29.7.11
ip route 192.168.1.10 255.255.255.255 10.95.25.82
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.6.0 255.255.255.0 10.95.25.82
!
ip access-list extended file
 permit tcp any any eq 445
ip access-list extended other
 deny   udp any any eq 45000
 deny   udp any any eq 45002
 deny   udp any any eq 45003
 permit ip any any
ip access-list extended sgx
 permit udp any any eq 45000
 permit udp any any eq 45002
 permit udp any any eq 45003
 permit tcp any any eq 1801
!
no logging trap
access-list 101 deny   udp any any eq 9999
access-list 101 deny   udp any any eq 34074
access-list 101 deny   udp any any eq 34330
access-list 101 deny   udp any any eq 34586
access-list 101 deny   udp any any eq 5450
access-list 101 deny   udp any any eq 5440
access-list 101 deny   udp any any eq 45446 log
access-list 101 deny   udp any any eq 80 log
access-list 101 deny   udp any any eq 17742 log
access-list 101 deny   udp any any eq 50554 log
access-list 101 deny   udp any any eq 56955 log
access-list 101 permit ip any any
access-list 110 deny   tcp any any eq 3389
access-list 110 deny   tcp any any eq 445
access-list 110 permit ip any any
access-list 120 deny   ip host 172.25.45.21 any
access-list 120 deny   ip host 172.25.45.52 any
access-list 120 deny   ip host 172.25.45.18 any
access-list 120 deny   ip host 172.25.45.18 any
access-list 120 permit ip any any
access-list 120 deny   tcp any any log
access-list 120 deny   udp any any log
access-list 120 deny   ip host 172.25.45.3 any
access-list 121 deny   udp any any eq 45000
access-list 121 deny   udp any any eq 45002
access-list 121 deny   udp any any eq 45003
access-list 121 permit ip any any
access-list 121 permit ip host 172.25.45.5 any
access-list 121 permit ip host 172.25.45.21 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit ip host 172.25.45.18 any
access-list 121 permit udp any any
access-list 121 permit udp any any eq 45000
access-list 121 permit udp any any eq 45002
access-list 121 permit udp any any eq 45003
access-list 121 deny   udp any any log
access-list 121 deny   ip host 172.25.45.8 any
access-list 130 deny   udp any any eq 9999
access-list 130 deny   udp any any eq 34463
access-list 130 permit ip any any
access-list dynamic-extended
!
!
!
!
!
snmp-server community public RW
snmp-server ifindex persist
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input all
line vty 5 10
 login
 transport input all
!
scheduler allocate 20000 1000
end
2个回答

如果不考虑数据包捕获、网络架构等,这是一个很难回答的问题。您不能真正制定策略或任何会丢帧的东西(因为它们在 OSI 模型中的第 2 层路由)。但是,有些事情可能会发生:

  1. 广播风暴 - 可能有一个交换机上行连接到另一个没有启用 STP 的交换机。这种交换环路会导致广播数据包沿已经看到消息的路径重新传输。

  2. LAN 重新架构(最有可能)- 这是一个面向重流的业务。在与关键系统接口作为 ISR(接入路由器)的同一路由器上使用 4 /24s 和 aa /16 是不明智的。我建议使用更合适的核心路由器或校园网络设计。这相当于买了一辆本田思域,然后想知道为什么你在与法拉利的比赛中输了。您正在将 ISR 路由器用于它不应该做的事情。

我不是技术人员,但我从该领域了解到的是,证券交易所信息是通过 UDP 多播传送的(我有 3 个经纪人客户)。想象一下,所有股票信息每秒都在推送和更新。这就是大量数据不断从市场流向您的客户(以及所有感兴趣的人)的方式。这些网络不像连接到互联网,应该有一个应该应用的特定配置模板。咨询服务提供商(不是 ISP 而是代理网络管理员,总是有一个庞大的团队来处理直接连接的客户)并共享配置。他们可能会在配置或硬件升级方面为您提供建议。

其它你可能感兴趣的问题
上一篇Cisco EEM 3.0 中的 TCP 客户端/服务器 下一篇10 Gb 刀片问题