[c-nsp] 3550 CPU Usage & IPSec

randal k cisconsp at data102.com
Thu Nov 20 16:15:15 EST 2008


Mateusz,
The process is always IP Input. I'm pretty confident that it is IPSec
traffic, as this customer's traffic is overwhelmingly the VPN tunnels;
my 3550's CPU graph is an exact copy of his interface's traffic graph.

The adverse affects listed are not really doable in production, which
is why the closest I've come to diagnosing is monitoring his port and
verifying that 95% of his traffic is VPN-related (various types of
tunnels). Thus the question as to whether or not it is general
knowledge that encrypted traffic hurts 3550s.

Thanks!
Randal

On Thu, Nov 20, 2008 at 12:43 PM, Mateusz Błaszczyk <blahu77 at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Randal,
>
>> I have a customer who started selling a landed a largish VPN contract
>> for people all over the world. Since then, he pushes about 40mbps of
>> IPSec traffic, which is growing steadily. Around the same time I
>> noticed that CPU usage on the distribution 3550 that he is attached to
>> started going up (has always been ~1%); it is now running between
>> 20-35% depending on the time of day.
>
> what is the major cpu eater?
> show proc cpu sorted?
>
>> My only guess is that 3550s switch IPSec packets in software. Is this the case?
>>
>> This Cisco document that I found agrees, but it extremely vague:
>>
>> http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
>> -Traffic that cannot be interrupt-switched arrives
>>  #IP packets with options
>
> try denying packets with ip options... but
> 1) it may break customers vpn (I have no idea if it is needed for vpn)
> 2) it may have adverse effect - switch would have to process switch
> packets to find out which have ip options, essentially process
> switching everything...
>
>
> BRs,
>
> - -mat
>
> - --
> pgp-key 0x1C655CAB
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJJb3F+BuaDRxlXKsRAhfQAJ0TUCuRNS9BnsVGpbmXz/8t64LawwCgku5m
> fF2/uaGpYQrtLrnwVGx5uno=
> =eu1X
> -----END PGP SIGNATURE-----
>


More information about the cisco-nsp mailing list