[c-nsp] Sup720 CPU spikes, an academic question

Peter Rathlev peter at rathlev.dk
Wed May 4 04:11:56 EDT 2011 

On Tue, 2011-05-03 at 22:09 +0100, Alexander Clouter wrote:
> A burst of SNMPv3 with cryptographic operations can hurt a poor MIPS 
> chip.  We run torrus[1] and it took me a while to realise the obvious 
> that polling all our kit 3DES/MD5 was probably bad idea (it was brutal
> enough to the system that was doing the polling) so when with just 
> SNMPv2c.

We sometimes see e.g. "crypto sw pk pro" taking up ressources on 3560X
models when they're being polled by our Cacti using SNMPv3 (authNoPriv).
This is clearly shown in the process table though. And we haven't seen
anything similar on the Sup720s. When looking at the ERSPAN session I
can see the SNMP traffic but it seldomly coincides with the spikes.

> > The following is the output from "show proc cpu" (slightly
> > reformatted) from a device that exceeded a 90% warning threshold
> > we've configured. 
>  
> You really want to be looking at the '5min' sorted graph.

The list I supplied only excludes processes with "0.00%" in all three
columns, so even though the processes are sorted differently they're all
there. Sorting by "5min" wouldn't make it look any more clear to me.
 
> >  CPU utilization for five seconds: 100%/0%; one min: 10%; five min: 4%
...
> > I've excluded processes with 0% utilization for all three periods.
> > To me the above means that 0% time (?) was spent interrupt
> > switching,
>  
> ...in the previous 5sec interval.

Yep. Interrupt time is only shown for 5sec intervals, so I assume
they're usable.

> multicast from a directly connected VLAN at the router with the TTL of 
> the packets set to 1 is how you can multicast 'attacks' on routers.  
> Might be something occasionally firing up (Norton Ghost) probbing for a 
> suitable TTL to put in it's multicast payload...but this I would expect 
> to appear in your ring buffer.

I've seen exactly that before (recently even), but in that case:

 1) The "IP Input" process was actually using ressources.
 2) The RP SPAN session showed the traffic clearly.

I have none of these here. :-|

Thank you for the input. :-)

-- 
Peter

More information about the cisco-nsp mailing list