[c-nsp] High process CPU on 3750

Ed Butler - RapidSwitch ed.butler at rapidswitch.com
Sun Sep 25 07:46:15 EDT 2005 

To add to my earlier post and Dan Hollis' reply (below) the incomplete IP
ARP entries are increaseing at this rate:

cat3750#sh ip arp summary 
2422 IP ARP entries, with 143 of them incomplete

(10 second gap)

cat3750#sh ip arp summary 
2555 IP ARP entries, with 276 of them incomplete

(10 second gap)

cat3750#sh ip arp summary 
2721 IP ARP entries, with 442 of them incomplete 

Would this be classed as high? We have approx a /18 worth of space facing
the public internet, and I'm not quite sure would be considered normal for
general white noise.

The 3750 stack seems to reset the number of incomplete ARP addresses pretty
quickly, is this by design?

Regards,

Ed Butler
RapidSwitch Ltd
DDI: 020 7106 0731

RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14 9SD

This email message is intended only for the addressee(s) and contains
information that may be confidential and/or copyright.  If you are not the
intended recipient please notify the sender by reply email and immediately
delete this email. Use, disclosure or reproduction of this email by anyone
other than the intended recipient(s) is strictly prohibited. No
representation is made that this email or any attachments are free of
viruses. Virus scanning is recommended and is the responsibility of the
recipient. 
-----Original Message-----
From: Dan Hollis [mailto:goemon at anime.net] 
Sent: 25 September 2005 12:16
To: Ed Butler - RapidSwitch
Subject: Re: [c-nsp] High process CPU on 3750

you are being massively ip scanned. create arp output rate filters.

class-map match-any arp
   match protocol arp
policy-map rate-limit-arp
   class arp
      police 8000 1500 1500 conform-action transmit exceed-action drop
violate-action drop
interface FastEthernet0/0
  ip policy route-map rate-limit-arp

-Dan

On Sun, 25 Sep 2005, Ed Butler - RapidSwitch wrote:

> We've got a stack of 3750s that are currently showing high process usage
on
> the CPU.
>
> This is showing as process utilisation on the switch, but I can't see a
> process that actually accounts for it in the list.
>
> There is about 30-35% of the CPU that has vanished and it's not clear
where.
>
> cisco3750e#sh proc cpu sort | ex 0.00%  0.00%  0.00%
> CPU utilization for five seconds: 52%/5%; one minute: 55%; five minutes:
56%
> PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>   7    15140968  42840249        353 13.51% 15.63% 17.55%   0 ARP Input
>
> 146    10103066  29347189        344  2.82%  2.26%  1.77%   0 IP Input
>
>  43     1107558     55814      19843  1.09%  0.81%  0.53%   0 Adjust
> Regions
> 149     1238805  10280732        120  0.62%  0.42%  0.35%   0 Spanning
Tree
>
> 108     1026083  18794666         54  0.31%  0.56%  0.53%   0 Hulc LED
> Process
> 103     1667468    594232       2806  0.31%  0.50%  0.32%   0 HL3U bkgrd
> proce
>  42      275183  41639809          6  0.15%  0.12%  0.15%   0 Fifo Error
> Detec
> 150        2413     13615        177  0.15%  0.01%  0.00%   0 Spanning
Tree
> St
> 112       55637    162783        341  0.15%  0.06%  0.04%   0 HQM Stack
> Proces
> 104       42600    647634         65  0.15%  0.02%  0.00%   0 HRPC hl3u
> reques
> 200      410526   1254308        327  0.15%  0.28%  0.29%   0 CEF: IPv4
> proces
>  18       30723    203360        151  0.00%  0.01%  0.00%   0 HC Counter
> Timer
>  23       16298    273307         59  0.00%  0.01%  0.00%   0 Net
> Background
>  27      141275     13772      10258  0.00%  0.01%  0.00%   0 Per-minute
> Jobs
>   4      958474     96693       9912  0.00%  0.07%  0.10%   0 Check heaps
>
>  46      366450   3492955        104  0.00%  0.04%  0.05%   0 hrpc <-
> response
>  30      201788    163079       1237  0.00%  0.04%  0.00%   0 Compute load
> avg
>  56       17145  23421773          0  0.00%  0.01%  0.00%   0 HLFM address
> ret
>  73      339403   1209805        280  0.00%  0.04%  0.06%   0 hpm counter
> proc
>  74      276923   1593830        173  0.00%  0.04%  0.00%   0 HRPC
> pm-counters
>  54       42864  23337685          1  0.00%  0.01%  0.00%   0 HLFM address
> lea
> 113      842937    975392        864  0.00%  0.07%  0.09%   0 HRPC qos
> request
> 122      102973    807545        127  0.00%  0.07%  0.05%   0 PI MATM
Aging
> Pr
> 148       14561   7942781          1  0.00%  0.01%  0.00%   0 MDFS MFIB
> Proces
> 165       91184    382975        238  0.00%  0.03%  0.00%   0 TCP
Protocols
>
> 199      185255       981     188843  0.00%  0.00%  0.01%   0 crypto sw pk
> pro
> 217       13625      1978       6888  0.00%  0.03%  0.02%   5 Virtual Exec
>
>
>
> Regards,
>
> Ed Butler
> RapidSwitch Ltd
> DDI: 020 7106 0731
>
> RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14
9SD
>
> This email message is intended only for the addressee(s) and contains
> information that may be confidential and/or copyright.  If you are not the
> intended recipient please notify the sender by reply email and immediately
> delete this email. Use, disclosure or reproduction of this email by anyone
> other than the intended recipient(s) is strictly prohibited. No
> representation is made that this email or any attachments are free of
> viruses. Virus scanning is recommended and is the responsibility of the
> recipient.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list