Re: High CPU util on 3825
- From: "Thrill5" <nospam@xxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2007 19:18:13 -0500
Yes, it makes better sense to move these functions to a firewall. The
firewall in IOS is not as robust, or flexible as a firewall device. If your
perfectly happy with firewall functionality in IOS, then the AIM-ATM should
fix the CPU issues you have, because the cell assembly/disassembly is done
in hardware on the AIM. Another approach is to use a 7200VXR series, or a
7300 series router and on those devices the ATM interfaces also do cell
assembly/disassembly in hardware.
"Sanal Kisi" <sanalkisi@xxxxxxxxx> wrote in message
news:vo2pk3lbuldltjslr6jvd2ji6dk6fngd6l@xxxxxxxxxx
How about moving the ACL, NAT, firewall operations out of the 3825 to
a new appliance ?
If this is a better solution then ;
- which box would you suggest ?
- would it be worth investing on a more clever appliance that would
also help on IPS, antivirus, URL-filtering etc ?
- if yes, then which box would you suggest ?
Regards.
On Mon, 26 Nov 2007 20:27:03 -0500, "Thrill5" <nospam@xxxxxxxxxxxxx>
wrote:
Your problem in a nutshell is that you are running IOS Firewall, NAT and a
high speed ATM interface on a low-end router. If your interface wasn't
ATM,
you would probably be OK, but ATM in this case is killing the router. The
problem is that ATM uses cells and the IP packets need to reassembled into
packets before they can be inspected and NAT performed. If this were a
packet interface, most of this processing would happen in hardware and you
be much better off. You didn't supply a "show ver" or a "show interface"
but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are
pretty high. If you add up all the numbers you only get to about 27% so
the
rest of the CPU is being eaten up by hardware interrupt processing.
Because
the input interface is ATM, NAT and the packet inspection are being
performed in software. Another good command is "show ip interface" which
would show how many packets are being CEF switched, which in this case I
would bet is pretty low. I would think that an ATM AIM card would help
you
out quite a bit here, since this module will offload the ATM processing.
"Trendkill" <jpmason@xxxxxxxxx> wrote in message
news:63925ee2-8495-4e4a-b7ec-f6f5921d856d@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Nov 26, 3:18 pm, Sanal Kisi <sanalk...@xxxxxxxxx> wrote:
Below is the result of "sh proc cpu" which I obtained. The current cpu
util is not very high at the moment though.
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
CPU utilization for five seconds: 72%/42%; one minute: 71%; five
minutes: 71%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk
Manager
2 185616 508801 364 0.00% 0.01% 0.00% 0 Load
Meter
3 0 1 0 0.00% 0.00% 0.00% 0 chkpt
message ha
4 4 1 4000 0.00% 0.00% 0.00% 0
EDDRI_MAIN
5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check
heaps
6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool
Manager
7 0 2 0 0.00% 0.00% 0.00% 0 Timers
8 296 42399 6 0.00% 0.00% 0.00% 0 IPC
Dynamic Cach
9 0 1 0 0.00% 0.00% 0.00% 0 IPC
Zone Manager
10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC
Periodic Tim
11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC
Deferred Por
12 0 1 0 0.00% 0.00% 0.00% 0 IPC
Seat Manager
13 0 1 0 0.00% 0.00% 0.00% 0 IPC
BackPressure
14 0 1 0 0.00% 0.00% 0.00% 0 OIR
Handler
15 0 1 0 0.00% 0.00% 0.00% 0 Crash
writer
16 139900 508563 275 0.00% 0.00% 0.00% 0
Environmental mo
17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP
Input
18 0 2 0 0.00% 0.00% 0.00% 0 ATM
Idle Timer
19 4 72 55 0.00% 0.00% 0.00% 0 AAA
high-capacit
20 0 1 0 0.00% 0.00% 0.00% 0
AAA_SERVER_DEADT
21 0 1 0 0.00% 0.00% 0.00% 0 Policy
Manager
22 0 2 0 0.00% 0.00% 0.00% 0 DDR
Timers
23 0 2 0 0.00% 0.00% 0.00% 0 Entity
MIB API
24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED
Syslog
25 22488 508585 44 0.00% 0.00% 0.00% 0 HC
Counter Timer
26 0 2 0 0.00% 0.00% 0.00% 0 Serial
Backgroun
27 0 1 0 0.00% 0.00% 0.00% 0 RO
Notify Timers
28 0 2 0 0.00% 0.00% 0.00% 0 SMART
29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt
30 0 2 0 0.00% 0.00% 0.00% 0 Dialer
event
31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL
A'detect
32 0 2 0 0.00% 0.00% 0.00% 0 XML
Proxy Client
33 0 2 0 0.00% 0.00% 0.00% 0
cpf_process_msg_
34 0 1 0 0.00% 0.00% 0.00% 0 Inode
Table Dest
35 0 1 0 0.00% 0.00% 0.00% 0
Critical Bkgnd
36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net
Background
37 0 2 0 0.00% 0.00% 0.00% 0 IDB
Work
38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger
39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY
Background
40 241316 2544091 94 0.00% 0.01% 0.00% 0
Per-Second Jobs
41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA
Mgr
42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC
HA Mgr
43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task
44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute
load avg
46 845372 43011 19654 0.00% 0.03% 0.00% 0
Per-minute Jobs
47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr
Process
48 0 1 0 0.00% 0.00% 0.00% 0 Token
Daemon
49 0 1 0 0.00% 0.00% 0.00% 0
dev_device_inser
50 0 1 0 0.00% 0.00% 0.00% 0
dev_device_remov
51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100
52 0 1 0 0.00% 0.00% 0.00% 0
sal_dpc_process
53 0 1 0 0.00% 0.00% 0.00% 0 ARL
Table Manage
54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM
55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
Storm Con
56 0 2 0 0.00% 0.00% 0.00% 0
ESWILPPM
57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
Storm Con
58 118640 10174788 11 0.00% 0.00% 0.00% 0
Netclock Backgro
59 0 2 0 0.00% 0.00% 0.00% 0 SM
Monitor
60 0 2 0 0.00% 0.00% 0.00% 0 VNM
DSPRM MAIN
61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM
DSP READ
62 0 2 0 0.00% 0.00% 0.00% 0 FLEX
DNLD MAIN
63 0 1 0 0.00% 0.00% 0.00% 0 HDV
background
64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO
IKMP IPC
65 0 1 0 0.00% 0.00% 0.00% 0
RF_INTERDEV_DELA
66 0 1 0 0.00% 0.00% 0.00% 0
RF_INTERDEV_SCTP
67 13120 2538695 5 0.00% 0.00% 0.00% 0
Ether-Switch RBC
68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS
TIMER_CU
69 0 1 0 0.00% 0.00% 0.00% 0 IGMP
Snooping Pr
70 0 1 0 0.00% 0.00% 0.00% 0 IGMP
Snooping Re
71 488 84796 5 0.00% 0.00% 0.00% 0 Call
Management
72 0 1 0 0.00% 0.00% 0.00% 0 CES
Line Conditi
73 0 1 0 0.00% 0.00% 0.00% 0
RF_INTERDEV_SCTP
74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM
Periodic
75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP
INPUT
76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM
Input
77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM
TIMER
78 0 2 0 0.00% 0.00% 0.00% 0 Dot11
auth Dot1x
79 0 1 0 0.00% 0.00% 0.00% 0 Dot11
Mac Auth
80 0 2 0 0.00% 0.00% 0.00% 0 dot1x
81 0 2 0 0.00% 0.00% 0.00% 0 DTP
Protocol
82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM
Aging Pr
83 1452 254347 5 0.00% 0.00% 0.00% 0
EtherChnl
84 0 2 0 0.00% 0.00% 0.00% 0 AAA
Dictionary R
85 8 134 59 0.00% 0.00% 0.00% 0 AAA
Server
86 0 1 0 0.00% 0.00% 0.00% 0 AAA
ACCT Proc
87 0 1 0 0.00% 0.00% 0.00% 0 ACCT
Periodic Pr
88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP
Protocol
89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP
Input
90 0 1 0 0.00% 0.00% 0.00% 0 ICMP
event handl
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
91 0 74 0 0.00% 0.00% 0.00% 0
TurboACL
92 0 2 0 0.00% 0.00% 0.00% 0
TurboACL chunk
93 156 4237 36 0.00% 0.00% 0.00% 0 MOP
Protocols
94 0 3 0 0.00% 0.00% 0.00% 0 PPP
Hooks
95 212 81 2617 0.00% 0.13% 0.03% 322 SSH
Process
96 0 1 0 0.00% 0.00% 0.00% 0 SSS
Manager
97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS
Test Client
98 0 1 0 0.00% 0.00% 0.00% 0 SSS
Feature Mana
99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS
Feature Time
100 0 1 0 0.00% 0.00% 0.00% 0 VPDN
call manage
101 0 1 0 0.00% 0.00% 0.00% 0 L2X
Socket proce
102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS
manager
103 0 2 0 0.00% 0.00% 0.00% 0 L2TP
mgmt daemon
104 0 1 0 0.00% 0.00% 0.00% 0 X.25
Encaps Mana
105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP
Process
106 0 2 0 0.00% 0.00% 0.00% 0 IP Host
Track Pr
107 0 1 0 0.00% 0.00% 0.00% 0 IPv6
RIB Redistr
108 0 2 0 0.00% 0.00% 0.00% 0 KRB5
AAA
109 0 1 0 0.00% 0.00% 0.00% 0 IP
Traceroute
110 15024 84724 177 0.00% 0.00% 0.00% 0 IP
Background
111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB
Update
112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP
Route
113 0 2 0 0.00% 0.00% 0.00% 0 PPP
IPCP
114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF
process
115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket
Timers
116 236 6474 36 0.00% 0.00% 0.00% 0 TCP
Timer
117 56 55 1018 0.00% 0.00% 0.00% 0 TCP
Protocols
118 0 1 0 0.00% 0.00% 0.00% 0 COPS
119 4
...
read more >>
Do it when its high, and focus on the heavy hitters. If its NAT and
other processor intensive processes, plus the full bgp routing table
(although I only see a default route so this may be a moot point),
then you may have just exhausted the processor on this smaller
router. A 3800 should handle the internet portion with no problem,
but never used them for NAT, etc. The show proc cpu should help
determine the issue. If this is the case, I would look for any
potential config issues (which guys/gals on here should be able to
help point out), and if there are none, then you may just need more
horsepower. Hope this helps.
.
- References:
- Re: High CPU util on 3825
- From: Trendkill
- Re: High CPU util on 3825
- From: Sanal Kisi
- Re: High CPU util on 3825
- From: Trendkill
- Re: High CPU util on 3825
- From: Sanal Kisi
- Re: High CPU util on 3825
- From: Trendkill
- Re: High CPU util on 3825
- From: Thrill5
- Re: High CPU util on 3825
- From: Sanal Kisi
- Re: High CPU util on 3825
- Prev by Date: Re: have 2 enable passwords?
- Next by Date: Re: BBSM event ID error...
- Previous by thread: Re: High CPU util on 3825
- Next by thread: Re: High CPU util on 3825
- Index(es):
Relevant Pages
|
