Jump to content
Калькуляторы

7301 high cpu util.

Добрый день коллеги, помогите подумать.

Есть 7301я с VAM2+ модулем. Терменирует IPIP туннели поверх IPSEC.

Ещё принимает BGP FV и внутрях туннелей крутится OSPF.

 

Влемя от времени циска уходит в себя, пинги возрастают до тысяч милисекунд.

 

adm_c7301_rou_1#sh processes cpu sorted | exclude 0.00%
CPU utilization for five seconds: 87%/81%; one minute: 94%; five minutes: 93%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process 
305     3757644      165886      22651  1.61%  1.23%  1.25%   0 Per-Second Jobs  
 92     5666156    10491953        540  1.04%  1.45%  1.38%   0 IP Input         
320      571828    34798240         16  0.56%  0.40%  0.40%   0 IP SLAs XOS Even 
334     2801636     1267161       2210  0.47%  1.31%  1.43%   0 OSPF-1 Router    
170      613780       16596      36983  0.47%  0.18%  0.17%   0 QoS stats proces 
 49      343196       68362       5020  0.37%  0.14%  0.12%   0 Net Background   
337      642316     2722164        235  0.37%  0.32%  0.32%   0 OSPF-1 Hello     
324     1860140     4042298        460  0.28%  0.75%  0.57%   0 SNMP ENGINE      
171      197312    34734689          5  0.28%  0.16%  0.17%   0 HQF Output Shape 
312      480704      160000       3004  0.18%  0.16%  0.16%   0 CFT Timer Proces 
  2       40156       33190       1209  0.09%  0.13%  0.10%   0 Load Meter       
327      419700       36973      11351  0.09%  0.29%  0.25%   0 SNMP Traps       
 88       60860     4628565         13  0.09%  0.06%  0.04%   0 IPAM Manager     
322     2258816     8127630        277  0.09%  0.88%  0.65%   0 IP SNMP          
235       36456     5017271          7  0.09%  0.02%  0.01%   0 MMON MENG        

 

Вот такая загрузка и выше на момент проблем.

Непонятно что грузит.

 

Типовая конфигурация туннеля:

 

interface Tunnel10101
ip address 172.21.0.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
ip ospf cost 10
tunnel source 11.1.11.1
tunnel mode ipip
tunnel destination 111.11.22.22
tunnel protection ipsec profile ipsec-aes
service-policy output Tunnel_10M

 

class-map match-all SNMP

match access-group name SNMP

class-map match-all TELNET

match access-group name TELNET

class-map match-all WSUS

match access-group name WSUS

class-map match-all WINBOX

match access-group name WINBOX

class-map match-all EMULFR

match access-group name EMULFR

class-map match-all OSPF

match protocol ospf

class-map match-all ICMP

match protocol icmp

class-map match-all HTTP

match access-group name HTTP

class-map match-all Web_Base

match access-group name Web_Base

class-map match-all ADM_SRV

match access-group name ADM_SRV

class-map match-all FTP

match access-group name FTP

class-map match-all RDP

match access-group name RDP-QOS

class-map match-all NTP

match access-group name NTP

class-map match-all SIP

match access-group name SIP

class-map match-all HTTPS

match access-group name HTTPS

class-map match-all MCAFE

match access-group name MCAFE

class-map match-all RTP

match protocol rtp

class-map match-all DNS

match access-group name DNS

class-map match-all 1C

match access-group name CITRIX

!

policy-map Tunnel-child

class OSPF

bandwidth percent 2

class ICMP

bandwidth percent 1

class NTP

bandwidth percent 1

class TELNET

bandwidth percent 1

class RDP

bandwidth percent 5

class 1C

bandwidth percent 10

class Web_Base

bandwidth percent 20

class WINBOX

bandwidth percent 2

class SNMP

bandwidth percent 2

class SIP

bandwidth percent 5

class DNS

bandwidth percent 2

class HTTP

bandwidth percent 10

class HTTPS

bandwidth percent 10

class FTP

bandwidth percent 2

class EMULFR

bandwidth percent 2

class WSUS

police cir percent 2

class MCAFE

police cir percent 2

class ADM_SRV

bandwidth percent 15

class RTP

bandwidth percent 2

class class-default

fair-queue

random-detect

policy-map Tunnel_10M

class class-default

shape average 10000000

police rate 10000000

violate-action drop

service-policy Tunnel-child

 

Собственно ничего необычного.

Трафика через железку не так много... 50-100 мегабит всего.

Edited by myst

Share this post


Link to post
Share on other sites

NPE-G1 хорошо грузится шейперами - может ограничиться полисерами там где можно.

А так стандартные рекомендации по снижению загрузки цп типа :

1. Поотключать где можно proxy-arp, редиректы и иже с ним

2. Включить "access-list compiled"

 

Может и поможет.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this