[c-nsp] 3550 CPU Usage & IPSec

randal k cisconsp at data102.com
Fri Nov 21 12:56:17 EST 2008


Excuse my typo, my original answer of "IP Input" was completely wrong,
since it's pretty easy to get them confused. I'm looking at it now and
it's purely Interrupt traffic.

dist03.cos01#show proc cpu
CPU utilization for five seconds: 26%/24%; one minute: 25%; five minutes: 26%

No, I'm not running anything on the 3550, it's purely a packet pusher.
It is a 3550-12T, and hanging off of it is the customer's 3560g-24TS
and VPN3000. All of the tunnels terminate on the Concentrator - the
3550 just does some basic layer3 forwarding and has no features.

Net -- 7206edge -- 6509core --- 3550dist --- 3560customer/VPN3000customer

That's why I find it a little bit odd that just forwarding IPSec
packets (not originating/terminating them) is hitting the CPU.

Randal

On Fri, Nov 21, 2008 at 4:31 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Thu, Nov 20, 2008 at 02:15:15PM -0700, randal k wrote:
>> The process is always IP Input. I'm pretty confident that it is IPSec
>> traffic, as this customer's traffic is overwhelmingly the VPN tunnels;
>> my 3550's CPU graph is an exact copy of his interface's traffic graph.
>
> "something is weird".  Normally, the 3550 shouldn't care at all what
> is inside those ISPEC packets, unless you have MTU issues and it needs
> to do fragmentation.
>
> Or are you running the IPSEC *on the 3550*?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
>


More information about the cisco-nsp mailing list