High CPU – IP Input on Cisco Router

Posted on November 21, 2007. Filed under: Cisco |

Proses “IP input” pada Cisco (terlihat dalam persentase saat SH PROC CPU) menghandle process-switching Packet IP. Bila proses IP Input menggunakan CPU lebih tinggi dari biasanya, berarti router anda melakukan proses switching IP traffic lebih banyak.

Bila memang anda melakukan configuration tambahan dan menyadarinya akan ada kenaikan CPU, tidak ada masalah. Namun bila lonjakan terjadi tiba-tiba, silakan check beberapa Issue berikut :

  • Interrupt switching is disabled on an interface (or interfaces) that has (have) a lot of trafficInterrupt switching refers to the use of switching algorithms other than process switching. Examples include fast switching, optimum switching, Cisco Express Forwarding switching, and so on (refer to Performance Tuning Basics for details). Examine the output of the show interfaces switching command to see which interface is burdened with traffic. You can check the show ip interface command to see which switching method(s) are used on each interface. Re-enable interrupt switching on that interface. Remember that regular fast switching is configured on output interfaces: if fast switching is configured on an interface, packets that go out of that interface are fast-switched. Cisco Express Forwarding switching is configured on input interfaces. To create Forwarding Information Base (FIB) and adjacency table entries on a particular interface, configure Cisco Express Forwarding switching on all interfaces that route to that interface.

  • Fast switching on the same interface is disabledIf an interface has a lot of secondary addresses or subinterfaces and there is a lot of traffic sourced from the interface and destined for an address on that same interface, then all of those packets are process-switched. In this situation, you should enable ip route-cache same-interface on the interface. When Cisco Express Forwarding switching is used, you do not need to enable Cisco Express Forwarding switching on the same interface separately.
  • Fast switching on an interface providing policy routing is disabledIf a route-map has been configured on an interface, and a lot of traffic is handled by the route-map, then the router process-switches this traffic. In this situation, you should enable ip route-cache policy on the interface. Check the restrictions mentioned in the “Enabling Fast-Switched Policy-Based Routing” section of .
  • Traffic that cannot be interrupt-switched arrivesThis can be any of the listed types of traffic. Click on linked items for more information.
    • Packets for which there is no entry yet in the switching cacheEven if fast, optimum, or Cisco Express Forwarding switching (CEF) is configured, a packet for which there is no match in the fast-switching cache or FIB and adjacency tables is processed. An entry is then created in the appropriate cache or table, and all subsequent packets that match the same criteria are fast, optimum, or CEF-switched. In normal circumstances, these processed packets do not cause high CPU utilization. However, if there is a device in the network which 1) generates packets at an extremely high rate for devices reachable through the router, and 2) uses different source or destination IP addresses, there is not a match for these packets in the switching cache or table, so they are processed by the IP Input process (if NetFlow switching is configured, source and destination TCP ports are checked against entries in the NetFlow cache as well). This source device can be a non-functional device or, more likely, a device attempting an attack.

      (*) Only with glean adjacencies. Refer to Cisco Express Forwarding documentation for more information about Cisco Express Forwarding adjacencies.

    • Packets destined for the routerThese are examples of packets destined for the router:
      • Routing updates that arrive at an extremely high rate. If the router receives an enormous amount of routing updates that have to be processed, this task might overload the CPU. Normally, this cannot happen in a stable network. The way you can gather more information depends on the routing protocol you have configured. However, you can start to check the output of the show ip route summary command periodically. Values that change rapidly are a sign of an unstable network. Frequent routing table changes mean increased routing protocol processing, which results in increased CPU utilization. For further information on how to troubleshoot this issue, refer to the Troubleshooting TCP/IP section of the Internetwork Troubleshooting Guide.
      • Any other kind of traffic destined for the router. Check who is logged on to the router and user actions. If someone is logged on and issues commands that produce long output, the high CPU utilization by the “IP input” process is followed by a much higher CPU utilization by the Virtual Exec process.
      • Spoof attack. To identify the problem, issue the show ip traffic command to check the amount of IP traffic. If there is a problem, the number of received packets with a local destination is significant. Next, examine the output of the show interfaces and show interfaces switching commands to check which interface the packets are coming in. Once you have identified the receiving interface, turn on ip accounting on the outgoing interface and see if there is a pattern. If there is an attack, the source address is almost always different, but the destination address is the same. An access list can be configured to solve the issue temporarily (preferably on the device closest to the source of the packets), but the real solution is to track down the source device and stop the attack.
    • Broadcast trafficCheck the number of broadcast packets in the show interfaces command output. If you compare the amount of broadcasts to the total amount of packets that were received on the interface, you can gain an idea of whether there is an overhead of broadcasts. If there is a LAN with several switches connected to the router, then this can indicate a problem with Spanning Tree.
    • IP packets with options
    • Packets that require protocol translation
    • Multilink Point-to-Point Protocol (supported in Cisco Express Forwarding switching)
    • Compressed trafficIf there is no Compression Service Adapter (CSA) in the router, compressed packets must be process-switched.
    • Encrypted trafficIf there is no Encryption Service Adapter (ESA) in the router, encrypted packets must be process-switched.
    • Packets that go through serial interfaces with X.25 encapsulationIn the X.25 protocol suite, flow control is implemented on the second Open System Interconnection (OSI) layer.
  • A lot of packets, that arrive at an extremely high rate, for a destination in a directly attached subnet, for which there is no entry in the Address Resolution Protocol (ARP) table. This should not happen with TCP traffic because of the windowing mechanism, but can happen with User Datagram Protocol (UDP) traffic. To identify the problem, repeat the actions suggested in order to track down a spoof attack.
  • A lot of multicast traffic goes through the router. Unfortunately, there is no easy way to examine the amount of multicast traffic. The show ip traffic command only shows summary information. However, if you have configured multicast routing on the router, you can enable fast-switching of multicast packets with the ip mroute-cache interface configuration command (fast-switching of multicast packets is off by default).
  • Router is oversubscribed. If the router is over-used and cannot handle this amount of traffic, try to distribute the load among other routers or purchase a high-end router.
  • IP Network Address Translation (NAT) is configured on the router, and lots of Domain Name System (DNS) packets go through the router. UDP or TCP packets with source or destination port 53 (DNS) are always punted to process level by NAT.
  • There are other packet types that are punted to processing.

Taken from Cisco Website.

a. rahman isnaini r. sutan

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

2 Responses to “High CPU – IP Input on Cisco Router”

RSS Feed for tukang-tukang oprek Comments RSS Feed

hmp…..baru aja nemu kasus yg sama. hasil cisco output interpreter sama persis dengan di atas. tiap step dilakukan, tp gak ada yang signifikan. tp beres juga, intinya packet yang masuk diusahakan jangan berlama2 di proses oleh si router.

thx buat sharingnya yah.


Saya juga pernah ikutin satu2 langkahnya dari Cisco.
Meski ada yang turun, namun juga ada yang tidak effect.
Jadi nyari yang lain lagi đŸ˜¦

a. rahman isnaini r.sutan

Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: