[c-nsp] NPE G1, CEF and ACLs and high CPU
Mateusz Błaszczyk
blahu77 at gmail.com
Thu Sep 4 13:00:01 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
List,
One of our Edge Routers (NPE-G1,12.2(28)SB6 ) (1 Transit, 100+
peerings) is running on constant ~60% utilization.
When BGP scanner kicks in, it peaks up at 80%.
The box routes around
- input rate 429,009,000 bits/sec, 64,257 packets/sec
- output rate 276,711,000 bits/sec, 61,002 packets/sec
=======================================================
edge#sh proc cpu sorted
CPU utilization for five seconds: 59%/59%; one minute: 62%; five
minutes: 61% <---------!!!
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
25 2644284001898122167 139 0.15% 0.38% 0.31% 0 ARP Input
62 2232065721093370453 204 0.15% 0.15% 0.15% 0 IP Input
35 66326072 13016133 5095 0.07% 0.11% 0.08% 0 Net Background
181 470863980 365252356 1289 0.07% 0.10% 0.09% 0 BGP Router
5 227768 783058 290 0.00% 0.00% 0.00% 0 Pool Manager
=======================================================
Most of it is on the Interrupts...
I was checking the cef switching which led me to the ACL on the port....
=======================================================
edge#sh ip cef switching statistics
Path Reason Drop Punt Punt2Host
RP LES Packet destined for us 0 140529659 0
RP LES Unresolved route 10984 0 0
RP LES Features 92 0 0
RP LES Total 11076 140529659 0
RP PAS No route 92517 0 73
RP PAS Packet destined for us 0 140529751 0
RP PAS No adjacency 431407 0 356877
RP PAS Incomplete adjacency 61069 0 479
RP PAS Unresolved route 9035960 0 0
RP PAS Bad checksum 118268 0 0
RP PAS TTL expired 0 0 407737419
RP PAS IP options set 0 0 221250
RP PAS Bad IP packet length 288 0 0
RP PAS Routed to Null0 782828 0 188
RP PAS Features 107260019 0 47245292
<--------------!!!!
RP PAS Total 117782356 140529751 455561578
All Total 117793432 281059410 455561578
edge#sh ip cef switching statistics feature
IPv4 CEF input features:
Path Feature Drop Consume Punt Punt2Host Gave route
RP LES CAR 92 0 0 0 0
RP PAS Access List 91374396 0 0 47245296
0 <--------------!!!!
RP PAS CAR 15885623 0 0 0 0
Total 107260111 0 0 47245296 0
IPv4 CEF output features:
Path Feature Drop Consume Punt Punt2Host New i/f
Total 0 0 0 0 0
IPv4 CEF post-encap features:
Path Feature Drop Consume Punt Punt2Host New i/f
Total 0 0 0 0 0
=======================================================
I see that a lot of Punted packets go to CPU "because of" the ACL...
On the port I have inbound ACL to protect the infrastructure and
filter off rogue, bogus packets...
For most of the entries it is quite generic - i.e. deny ip src dst,
but for some lines explicitly lists tcp and udp ports.
My question is - does this (tcp, udp ports) could force the router to
execute the ACL in CPU?
Or is it something else?
Thanks in advance for any pointers
PS. Sorry if that topic was munched many times and I just add to the chaos...
Best Regards,
- --
- -mat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIwBQPIvBv0k5esR4RAonNAKCMZc/rEiZpznuueMRoKvx3xyI6VQCgvElQ
PXCtW6qsU5nQxk4tc6cHet4=
=ldkL
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list