From: Murali Rao (muralig19@xxxxxxxxx)
Date: Fri May 17 2002 - 07:44:50 GMT-3
Hello All.
Sorry for this OT but i need some help immediately.
My customer's network has become dead slow since the last 4
dyas. It is a hub spoke topology with 3660 as hub and 1750s
as spokes.
The txload and rrxload on sh int serial output shows as
much as 255/255 even when there are no user applications
running.
Suspecting problems with serial line, i brought up the
backup ISDN and the same thing repeats on the ISDN as well.
So there definitly is a heavy traffic being pumped into the
network. No high cpu utilizations seen as well. Suspecting
nimda/codered worm, i found on the CCO, configurations to
block these worms from crossing the routers. I have tried
these configs at all the routers with out any use. Can
someone have a look at these configs and see if i am
missing something or suggest any other way of killing this
issue? This is making the links so slow that voip calls are
suffering.
class-map match-any http-attacks
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
!
!
policy-map mark-inbound-http-attacks
class http-attacks
set ip dscp 1
interface fastethernet 0/0
ip access-group 189 in
ip access-group 189 out
service-policy input mark-inbound-http-attacks
access-list 189 deny ip any any dscp 1 log
access-list 189 permit ip any any
I have applied the policy map to ethernet interfaces on all
the routers thinking that this will block any patterns that
match the class-map.
Am i doing somehting wrong here? can this be handled in a
different way?
Any help is appreciated.
Murali.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:59 GMT-3