[c-nsp] 3550 CPU Usage & IPSec
Mateusz Błaszczyk
blahu77 at gmail.com
Thu Nov 20 14:43:02 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Randal,
> I have a customer who started selling a landed a largish VPN contract
> for people all over the world. Since then, he pushes about 40mbps of
> IPSec traffic, which is growing steadily. Around the same time I
> noticed that CPU usage on the distribution 3550 that he is attached to
> started going up (has always been ~1%); it is now running between
> 20-35% depending on the time of day.
what is the major cpu eater?
show proc cpu sorted?
> My only guess is that 3550s switch IPSec packets in software. Is this the case?
>
> This Cisco document that I found agrees, but it extremely vague:
>
> http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
> -Traffic that cannot be interrupt-switched arrives
> #IP packets with options
try denying packets with ip options... but
1) it may break customers vpn (I have no idea if it is needed for vpn)
2) it may have adverse effect - switch would have to process switch
packets to find out which have ip options, essentially process
switching everything...
BRs,
- -mat
- --
pgp-key 0x1C655CAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJJb3F+BuaDRxlXKsRAhfQAJ0TUCuRNS9BnsVGpbmXz/8t64LawwCgku5m
fF2/uaGpYQrtLrnwVGx5uno=
=eu1X
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list