[c-nsp] 3550 CPU Usage & IPSec

randal k cisconsp at data102.com
Fri Nov 21 17:17:59 EST 2008 

Burton,
There is already ~150mbps of other traffic flowing through this
switch, all of which generates approximately zero CPU, which is how it
looks for 11 other active 3550s, all pushing hundreds of mbps; they're
extremely good at high pps layer 3 with very little CPU usage. Yes,
cef is on everywhere.

The thing that draws the attention here is that it is the only 3550 in
our network that has more than 1-2% CPU. Of all of the customers
attached to this switch, his is the only port whose graph is an exact
match for the CPU usage, and his traffic is overwhelmingly IPSec. I
guess I could move him to a different 3550 distribution switch and see
if the problem follows.

Thanks for your continued input -
Randal




On Fri, Nov 21, 2008 at 11:17 AM, Burton Windle <bwindle at fint.org> wrote:
> I could be very wrong here, but I'm thought that if the usage is in the
> interrupt, then the CPU usage is just because of the volume of traffic, not
> the contents. But don't quote me on that.
>
> Easy way to test would be to push a similar volume of non-IPSec traffic and
> see what the CPU does.
>
>
> --
> Burton Windle                           bwindle at fint.org
>
>
> On Fri, 21 Nov 2008, randal k wrote:
>
>> Excuse my typo, my original answer of "IP Input" was completely wrong,
>> since it's pretty easy to get them confused. I'm looking at it now and
>> it's purely Interrupt traffic.
>>
>> dist03.cos01#show proc cpu
>> CPU utilization for five seconds: 26%/24%; one minute: 25%; five minutes:
>> 26%
>>
>> No, I'm not running anything on the 3550, it's purely a packet pusher.
>> It is a 3550-12T, and hanging off of it is the customer's 3560g-24TS
>> and VPN3000. All of the tunnels terminate on the Concentrator - the
>> 3550 just does some basic layer3 forwarding and has no features.
>>
>> Net -- 7206edge -- 6509core --- 3550dist --- 3560customer/VPN3000customer
>>
>> That's why I find it a little bit odd that just forwarding IPSec
>> packets (not originating/terminating them) is hitting the CPU.
>>
>> Randal
>>
>

More information about the cisco-nsp mailing list