[c-nsp] 3550 CPU Usage & IPSec

Brandon Bennett bennetb at gmail.com
Thu Nov 20 23:21:17 EST 2008 

Sounds like maybe he is setting his VPN traffic with the DF bit off.    
This could cause your 3550s to process fragmentation duties in  
software.  Check to see if it's the IP Input process on the router,   
this would mean the router is processing the fragmentation.


-Brandon

Sent from my iPhone

On Nov 20, 2008, at 12:24 PM, "randal k" <cisconsp at data102.com> wrote:

> Hive Mind,
> I have a customer who started selling a landed a largish VPN contract
> for people all over the world. Since then, he pushes about 40mbps of
> IPSec traffic, which is growing steadily. Around the same time I
> noticed that CPU usage on the distribution 3550 that he is attached to
> started going up (has always been ~1%); it is now running between
> 20-35% depending on the time of day.
>
> My only guess is that 3550s switch IPSec packets in software. Is  
> this the case?
>
> This Cisco document that I found agrees, but it extremely vague:
>
> http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
> -Traffic that cannot be interrupt-switched arrives
> #IP packets with options
> #Packets that require protocol translation
> #Multilink Point-to-Point Protocol (supported in Cisco Express
> Forwarding switching)
> #Compressed traffic
>    If there is no Compression Service Adapter (CSA) in the router,
> compressed packets must be process-switched.
> #Encrypted traffic
>    If there is no Encryption Service Adapter (ESA) in the router,
> encrypted packets must be process-switched.
>
>
> I am concerned that when his traffic eventually gets large enough that
> it will cripple the switch. I know that the solution is to stick him
> on something with more guts - I am just looking to see if there is any
> anecdotes out there about this situation.
>
> Thanks,
> Randal
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list