[c-nsp] 3550 high cpu & process switched traffic
Tassos Chatzithomaoglou
achatz at forthnet.gr
Fri Aug 18 13:53:28 EDT 2006
Hi Rodney,
This is the 3550's config:
=======================================
Current configuration : 14177 bytes
!
! Last configuration change at 19:39:45 EET Fri Aug 18 2006 by xxx
! NVRAM config last updated at 20:28:04 EET Fri Aug 18 2006 by xxx
!
version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 3550
!
logging buffered 64000 debugging
logging console critical
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login CON-AUX enable
aaa authentication ppp default if-needed group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec CON-AUX if-authenticated
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 1 CON-AUX if-authenticated
aaa authorization commands 7 default group tacacs+ none
aaa authorization network default group tacacs+
aaa accounting exec default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
enable secret 5 <removed>
!
clock timezone EET 2
clock summer-time EET recurring last Sun Mar 3:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause loopback
errdisable recovery interval 1800
ip subnet-zero
no ip source-route
ip routing
!
ip tftp source-interface Loopback0
ip domain-name xxx
ip name-server xxx
ip name-server xxx
ip multicast-routing
ip accounting-threshold 32768
mls qos
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
class-map match-any all2m
match ip dscp 0
!
!
policy-map policy-1mbps
class all2m
police 1024000 1000000 exceed-action drop
policy-map policy-3mbps
class all2m
police 3072000 1000000 exceed-action drop
policy-map policy-2mbps
class all2m
police 2048000 1000000 exceed-action drop
policy-map policy-4mbps
class all2m
police 4000000 1000000 exceed-action drop
policy-map policy-8mbps
class all2m
police 8000000 1000000 exceed-action drop
policy-map policy-10mbps
class all2m
police 10000000 1000000 exceed-action drop
policy-map policy-12mbps
class all2m
police 12000000 1000000 exceed-action drop
policy-map policy-20mbps
class all2m
police 20000000 1000000 exceed-action drop
policy-map policy-14mbps
class all2m
police 14000000 1000000 exceed-action drop
policy-map policy-50mbps
class all2m
police 50000000 1000000 exceed-action drop
policy-map policy-18mbps
class all2m
police 18000000 1000000 exceed-action drop
!
!
!
interface Loopback0
ip address xxx 255.255.255.255
!
interface FastEthernet0/1
switchport mode access
shutdown
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
load-interval 30
speed 100
duplex full
!
interface FastEthernet0/3
no switchport
ip address xxx 255.255.255.252 secondary
ip address xxx 255.255.255.252 secondary
ip address xxx 255.255.255.252
ip access-group 03-IN in
ip access-group 03-OUT out
no ip redirects
no ip unreachables
load-interval 30
mls qos monitor dscp 0
storm-control broadcast level 5.00
service-policy input policy-12mbps
service-policy output policy-12mbps
!
interface FastEthernet0/4
no switchport
ip address xxx 255.255.255.240
ip access-group 04-IN in
ip access-group 04-OUT out
no ip redirects
no ip unreachables
load-interval 30
mls qos monitor dscp 0
storm-control broadcast level 5.00
arp timeout 1200
service-policy input policy-14mbps
service-policy output policy-14mbps
!
interface FastEthernet0/5
no switchport
ip address xxx 255.255.255.252
ip access-group 05-IN in
no ip redirects
no ip unreachables
load-interval 30
mls qos monitor dscp 0
storm-control broadcast level 5.00
service-policy input policy-3mbps
service-policy output policy-3mbps
!
interface FastEthernet0/6
no switchport
ip address xxx 255.255.255.252
ip access-group 06-IN in
no ip redirects
no ip unreachables
load-interval 30
mls qos monitor dscp 0
storm-control broadcast level 5.00
no cdp enable
service-policy input policy-2mbps
service-policy output policy-2mbps
hold-queue 100 out
!
!
interface FastEthernet0/7
no switchport
ip address xxx 255.255.255.252
ip access-group 07-IN in
no ip redirects
no ip unreachables
load-interval 30
mls qos monitor dscp 0
storm-control broadcast level 5.00
no cdp enable
service-policy input policy-1mbps
service-policy output policy-1mbps
hold-queue 100 out
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/10
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/11
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/12
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/13
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/14
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/15
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/16
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/17
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/18
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/19
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/20
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/21
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/22
switchport mode dynamic desirable
shutdown
!
interface FastEthernet0/23
switchport mode dynamic desirable
shutdown
speed 100
duplex full
!
interface FastEthernet0/24
switchport mode dynamic desirable
shutdown
!
interface GigabitEthernet0/1
description ** Gateway **
no switchport
ip address xxx 255.255.255.192
no ip redirects
no ip unreachables
load-interval 30
flowcontrol send off
!
interface GigabitEthernet0/2
switchport mode access
shutdown
flowcontrol send off
!
interface Vlan1
description ** Management **
ip address xxx 255.255.255.252
!
interface Vlan4
ip address xxx 255.255.255.252
ip access-group 4-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
arp timeout 1200
!
interface Vlan10
ip address xxx 255.255.255.224
ip access-group 10-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
arp timeout 1200
!
router ospf xxx
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
network xxx 0.0.0.0 area 1
!
ip default-gateway xxx
ip classless
ip route 0.0.0.0 0.0.0.0 xxx
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.255.0 xxx 200
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.248.0 xxx
ip route xxx 255.255.255.240 xxx
ip route xxx 255.255.255.248 xxx
no ip http server
ip tacacs source-interface Loopback0
!
ip access-list extended 10-IN
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.31 any
deny ip any any
ip access-list extended 03-IN
deny ip any host xxx
permit ip any any
ip access-list extended 03-OUT
deny ip host xxx any
permit ip any any
ip access-list extended 04-IN
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.15 any
deny ip any any
ip access-list extended 04-OUT
permit tcp any host xxx eq www
permit tcp any host xxx eq 443
permit tcp any host xxx eq 2106
permit tcp any host xxx eq 7777
permit tcp any host xxx eq 60000
permit tcp any host xxx eq www
permit tcp any host xxx eq 443
permit tcp any host xxx eq 2106
permit tcp any host xxx eq 7777
permit tcp any host xxx eq 60000
deny tcp any host xxx
deny tcp any host xxx
deny ip xxx 0.0.0.255 any
deny ip xxx 0.0.0.255 any
deny ip xxx 0.0.0.255 any
deny ip xxx 0.0.0.255 any
permit ip any any
ip access-list extended 06-IN
permit tcp any any eq bgp
permit udp any any eq 179
permit tcp any eq bgp any
permit udp any eq 179 any
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.255 any
permit ip xxx 0.0.0.255 any
permit ip xxx 0.0.0.255 any
permit ip xxx 0.0.0.255 any
permit ip xxx 0.0.0.3 any
deny ip any any
ip access-list extended 05-IN
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.15 any
permit ip xxx 0.0.0.3 any
deny ip any any
ip access-list extended 07-IN
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.3 any
permit ip xxx 0.0.0.7 any
deny ip any any
ip access-list extended 4-IN
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 0.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 224.0.0.0 15.255.255.255
permit ip xxx 0.0.0.3 any
deny ip any any
!
logging facility local5
logging source-interface Loopback0
logging xxx
access-list 9 permit xxx 0.0.0.31
access-list 9 permit xxx 0.0.0.255
access-list 9 permit xxx 0.0.0.255
access-list 9 permit xxx 0.0.0.255
access-list 9 permit xxx 0.0.0.255
access-list 9 deny any log
access-list 99 permit xxx
access-list 99 permit xxx
access-list 99 permit xxx
access-list 99 permit xxx 0.0.0.1
access-list 99 permit xxx 0.0.0.31
access-list 99 permit xxx 0.0.0.255
access-list 99 permit xxx 0.0.0.255
access-list 99 permit xxx 0.0.0.255
access-list 99 permit xxx 0.0.0.255
access-list 99 permit xxx 0.0.0.255
access-list 99 deny any log
snmp-server community <removed> RO 99
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps flash insertion removal
snmp-server enable traps bridge
snmp-server enable traps stpx
snmp-server enable traps rtr
snmp-server enable traps port-security
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps MAC-Notification
snmp-server enable traps hsrp
snmp-server enable traps cluster
snmp-server enable traps copy-config
snmp-server enable traps syslog
snmp-server enable traps bgp
snmp-server enable traps vlan-membership
snmp-server host xxx <removed>
snmp-server host xxx <removed>
tacacs-server host xxx
tacacs-server host xxx
tacacs-server timeout 15
tacacs-server key 7 <removed>
privilege exec level 7 clear
privilege exec level 7 clear line
privilege exec level 7 clear ip
!
!
line con 0
authorization commands 1 CON-AUX
authorization exec CON-AUX
login authentication CON-AUX
line vty 0 4
session-timeout 30 output
access-class 9 in
exec-timeout 30 0
logging synchronous
line vty 5 15
!
ntp clock-period 17180392
ntp server xxx
!
end
=======================================
Also fast/cef seems to be enabled on all L3 intefaces
3550#sh ip int | inc is up|IP fast switching is|CEF switching
Vlan1 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
Vlan4 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
Vlan10 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/2 is up, line protocol is up
FastEthernet0/3 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/4 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/5 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/6 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/7 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
FastEthernet0/8 is up, line protocol is up
GigabitEthernet0/1 is up, line protocol is up
IP fast switching is enabled
IP CEF switching is enabled
Loopback0 is up, line protocol is up
IP fast switching is disabled
Rodney Dunn wrote on 18/8/2006 20:20:
> Something is wrong.
>
> What is the config?
>
> I'm not too good with the 3550 as that is a L3 capable switch.
>
> But usually it's a feature of some sort configured causing it.
>
> On Fri, Aug 18, 2006 at 07:44:36PM +0300, Tassos Chatzithomaoglou wrote:
>> I have a 3550 (12.1(22)EA8) which is constantly showing high cpu usage :
>>
>> 3550#sh proc cpu
>> CPU utilization for five seconds: 99%/96%; one minute: 97%; five minutes: 97%
>>
>> If i'm not wrong, most of it is due to interrupts and i'm trying to find out what exactly is causing
>> this. The 3550 has 3 SVIs (1 for management), 6 routed interfaces (5 of them have mls qos
>> configured) and 2 L2 interfaces (one is trunk).
>>
>> Also I would like to ask if the following output (only processor used for eggress traffic on ALL
>> interfaces) is considered normal for 3550 switches:
>>
>> 3550#sh int stats
>> Vlan1
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 179 12172 179 10740
>> Route cache 0 0 0 0
>> Total 179 12172 179 10740
>> Vlan4
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 2806 179584 2806 168360
>> Route cache 8295 581139 0 0
>> Total 11101 760723 2806 168360
>> Vlan10
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 21993427 2785897656 20910415 2025707486
>> Route cache 2289603255 1233480520 0 0
>> Total 2311596682 4019378176 20910415 2025707486
>> Interface FastEthernet0/1 is disabled
>>
>> FastEthernet0/2
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 0 0 718962 112668280
>> Route cache 0 0 0 0
>> Total 0 0 718962 112668280
>> FastEthernet0/3
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 98405 6710609 535543 50002650
>> Route cache 2288708113 1141208459 0 0
>> Total 2288806518 1147919068 535543 50002650
>> FastEthernet0/4
>> Switching path Pkts In Chars In Pkts Out Chars Out
>> Processor 89343 11874108 396765671 2089412449
>> Route cache 543340008 1149008067 0 0
>> Total 543429351 1160882175 396765671 2089412449
>>
>> ....
>>
>>
>> "sh int switching" shows the same problem for all interfaces : The Fast path has 0 entries for all
>> protocols including IP.
>>
>> Regards,
>> Tassos
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
***************************************
Tassos Chatzithomaoglou
Network Design & Development Department
FORTHnet S.A.
<achatz at forthnet.gr>
***************************************
More information about the cisco-nsp
mailing list