[fox_m]

Всем привет. Имеется стек из 2-х C3750, через который проходят мультикаст потоки порядка 600 Мбит/с. Стал замечать что периодически загрузка ЦП подскакивает до 50%, хотя средняя нагрузка порядка 15%. Как выяснилось, грузит систему процесс hl3mm. Я так понимаю, он как-то связан с мультикастом. Подскажите, куда копать?

 

CPU utilization for five seconds: 21%/0%; one minute: 12%; five minutes: 14%
PID Runtime(ms)         Invoked          uSecs   5Sec   1Min   5Min TTY Process 
127    38311260         2474999          15479 13.11%  5.23%  7.78%   0 hl3mm                  
299            5984            1551       3858  1.11%  0.14%  0.17%   1 Virtual Exec    
360     2028464        38896899                 52  0.47%  0.25%  0.27%   0 PIM Process          
 74       43621         1569481                 27  0.31%  0.02%  0.00%   0 Per-Second Jobs  
  3       17705           61092                289  0.15%  0.03%  0.00%   0 MSDP Process        
160      956725        45452151                 21  0.15%  0.11%  0.14%   0 Hulc LED Process 
146       28384         7725032                  3  0.15%  0.01%  0.00%   0 Hulc Storm Contr 

 

         134214422542244324422542244354424462253225422342244323422433
         977193111085147315520091042445321049106113801860089416620464
 100                                                                                                              
  90                                                                                                              
  80                                                                                                              
  70                                                                                                              
  60                                                              *                                       
  50   *         **   *  **  **         **     *  *   **   *  **   *   
  40  **  **  **  **  **  **  ** *** ***  **  **  **  **  **  *
  30  **  **  *** *** **  **  ****** **#* **  **  **  *** **  *
  20 *##**##**##**##**##**##**##*###**##**##**##**##**##**##**#
  10 ##########################################################
        0....5....1....1....2....2....3....3....4....4....5....5....6
                          0    5       0       5       0       5       0       5       0       5       0
                          CPU% per minute (last 60 minutes)
                         * = maximum CPU%   # = average CPU%

[0pl0pl]

http://www.anticisco.ru/forum/viewtopic.php?f=2&t=1058

[fox_m]

http://www.anticisco.ru/forum/viewtopic.php?f=2&t=1058

 

Спасибо, уже смотрел данную статью. ACL пока применять не стал. Если я правильно понял, то при таком DoS в таблице mroute будет появляться большое кол-во "левых" (*,G) маршрутов, но таковых у меня не наблюдается. Хотя, допускаю, что я что-то не допонял.

[0pl0pl]

sh platform tcam utilization

sh ip arp sum

sh mac address-table count | i Space

sh ver

show sdm prefer

[fox_m]

CAM Utilization for ASIC# 0                      Max            Used
                                            Masks/Values    Masks/values

Unicast mac addresses:                        784/6272         20/80    
IPv4 IGMP groups + multicast routes:          152/1216         72/531   
IPv4 unicast directly-connected routes:       784/6272         20/80    
IPv4 unicast indirectly-connected routes:     280/2240         48/260   
IPv4 policy based routing aces:                 0/0             0/0     
IPv4 qos aces:                                768/768         260/260   
IPv4 security aces:                          1024/1024         40/40    

Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization

 

 

32 IP ARP entries, with 0 of them incomplete

 

 

Total Mac Address Space Available: 5944

 

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 21-Jul-11 01:53 by prod_rel_team

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

RUBL-HE-SW2-STACK uptime is 2 weeks, 5 days, 22 hours, 6 minutes
System returned to ROM by power-on
System image file is "flash:c3750-ipservicesk9-mz.122-58.SE2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750G-24TS-1U (PowerPC405) processor (revision E0) with 131072K bytes of memory.
Processor board ID FOC1245W38Q
Last reset from power-on
17 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:23:EA:8B:95:00
Motherboard assembly number     : 73-10219-07
Power supply part number        : 341-0098-02
Motherboard serial number       : FOC12451CXR
Power supply serial number      : AZS1243023Q
Model revision number           : E0
Motherboard revision number     : C0
Model number                    : WS-C3750G-24TS-S1U
System serial number            : FOC1245W38Q
Top Assembly Part Number        : 800-26859-01
Top Assembly Revision Number    : D0
Version ID                      : V03
CLEI Code Number                : CNMWS00ARC
Hardware Board Revision Number  : 0x09


Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 28    WS-C3750G-24TS-1U  12.2(58)SE2           C3750-IPSERVICESK9-M     
    2 28    WS-C3750G-24TS-1U  12.2(58)SE2           C3750-IPSERVICESK9-M     


Switch 02
---------
Switch Uptime                   : 2 weeks, 5 days, 22 hours, 5 minutes 
Base ethernet MAC Address       : 00:18:19:38:4A:80
Motherboard assembly number     : 73-9637-08
Power supply part number        : 341-0098-02
Motherboard serial number       : FOC10231EYT
Power supply serial number      : DCA10190DQJ
Model revision number           : C0
Motherboard revision number     : A0
Model number                    : WS-C3750G-24TS-S1U
System serial number            : FOC1023Y34H
SFP Module assembly part number : 73-7757-03
SFP Module revision number      : A0
SFP Module serial number        : CAT10171E01
Top assembly part number        : 800-25730-02
Top assembly revision number    : B0
Version ID                      : V02
CLEI Code Number                : CNMWS00ARB

Configuration register is 0xF

 

 

The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs. 

 number of unicast mac addresses:                  6K
 number of IPv4 IGMP groups + multicast routes:    1K
 number of IPv4 unicast routes:                    8K
   number of directly-connected IPv4 hosts:        6K
   number of indirect IPv4 routes:                 2K
 number of IPv4 policy based routing aces:         0
 number of IPv4/MAC qos aces:                      0.5K
 number of IPv4/MAC security aces:                 1K

[0pl0pl]

Its posible "igmp flood".

 

Try debug igmp or "monitor session" with Wireshark on PC

 

For Cisco example:

monitor session 1 destination interface gigabitEthernet 2/0/20

monitor session 1 source interface gigabitEthernet 1/0/10 tx

[fox_m]

Ok. Thanks, I`ll try.