Jump to content
Калькуляторы

7301 high cpu util.

Добрый день коллеги, помогите подумать.

Есть 7301я с VAM2+ модулем. Терменирует IPIP туннели поверх IPSEC.

Ещё принимает BGP FV и внутрях туннелей крутится OSPF.

 

Влемя от времени циска уходит в себя, пинги возрастают до тысяч милисекунд.

 

adm_c7301_rou_1#sh processes cpu sorted | exclude 0.00%
CPU utilization for five seconds: 87%/81%; one minute: 94%; five minutes: 93%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process 
305     3757644      165886      22651  1.61%  1.23%  1.25%   0 Per-Second Jobs  
 92     5666156    10491953        540  1.04%  1.45%  1.38%   0 IP Input         
320      571828    34798240         16  0.56%  0.40%  0.40%   0 IP SLAs XOS Even 
334     2801636     1267161       2210  0.47%  1.31%  1.43%   0 OSPF-1 Router    
170      613780       16596      36983  0.47%  0.18%  0.17%   0 QoS stats proces 
 49      343196       68362       5020  0.37%  0.14%  0.12%   0 Net Background   
337      642316     2722164        235  0.37%  0.32%  0.32%   0 OSPF-1 Hello     
324     1860140     4042298        460  0.28%  0.75%  0.57%   0 SNMP ENGINE      
171      197312    34734689          5  0.28%  0.16%  0.17%   0 HQF Output Shape 
312      480704      160000       3004  0.18%  0.16%  0.16%   0 CFT Timer Proces 
  2       40156       33190       1209  0.09%  0.13%  0.10%   0 Load Meter       
327      419700       36973      11351  0.09%  0.29%  0.25%   0 SNMP Traps       
 88       60860     4628565         13  0.09%  0.06%  0.04%   0 IPAM Manager     
322     2258816     8127630        277  0.09%  0.88%  0.65%   0 IP SNMP          
235       36456     5017271          7  0.09%  0.02%  0.01%   0 MMON MENG        

 

Вот такая загрузка и выше на момент проблем.

Непонятно что грузит.

 

Типовая конфигурация туннеля:

 

interface Tunnel10101
ip address 172.21.0.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
ip ospf cost 10
tunnel source 11.1.11.1
tunnel mode ipip
tunnel destination 111.11.22.22
tunnel protection ipsec profile ipsec-aes
service-policy output Tunnel_10M

 

class-map match-all SNMP

match access-group name SNMP

class-map match-all TELNET

match access-group name TELNET

class-map match-all WSUS

match access-group name WSUS

class-map match-all WINBOX

match access-group name WINBOX

class-map match-all EMULFR

match access-group name EMULFR

class-map match-all OSPF

match protocol ospf

class-map match-all ICMP

match protocol icmp

class-map match-all HTTP

match access-group name HTTP

class-map match-all Web_Base

match access-group name Web_Base

class-map match-all ADM_SRV

match access-group name ADM_SRV

class-map match-all FTP

match access-group name FTP

class-map match-all RDP

match access-group name RDP-QOS

class-map match-all NTP

match access-group name NTP

class-map match-all SIP

match access-group name SIP

class-map match-all HTTPS

match access-group name HTTPS

class-map match-all MCAFE

match access-group name MCAFE

class-map match-all RTP

match protocol rtp

class-map match-all DNS

match access-group name DNS

class-map match-all 1C

match access-group name CITRIX

!

policy-map Tunnel-child

class OSPF

bandwidth percent 2

class ICMP

bandwidth percent 1

class NTP

bandwidth percent 1

class TELNET

bandwidth percent 1

class RDP

bandwidth percent 5

class 1C

bandwidth percent 10

class Web_Base

bandwidth percent 20

class WINBOX

bandwidth percent 2

class SNMP

bandwidth percent 2

class SIP

bandwidth percent 5

class DNS

bandwidth percent 2

class HTTP

bandwidth percent 10

class HTTPS

bandwidth percent 10

class FTP

bandwidth percent 2

class EMULFR

bandwidth percent 2

class WSUS

police cir percent 2

class MCAFE

police cir percent 2

class ADM_SRV

bandwidth percent 15

class RTP

bandwidth percent 2

class class-default

fair-queue

random-detect

policy-map Tunnel_10M

class class-default

shape average 10000000

police rate 10000000

violate-action drop

service-policy Tunnel-child

 

Собственно ничего необычного.

Трафика через железку не так много... 50-100 мегабит всего.

Edited by myst

Share this post


Link to post
Share on other sites

NPE-G1 хорошо грузится шейперами - может ограничиться полисерами там где можно.

А так стандартные рекомендации по снижению загрузки цп типа :

1. Поотключать где можно proxy-arp, редиректы и иже с ним

2. Включить "access-list compiled"

 

Может и поможет.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.