High CPU "DHCP receive and IP input process"

Unanswered Question
Feb 12th, 2007

Hi,

Yesterday, a USER MACHINE running windows xp flooded our LAN network. The log in our Core Switches/Routers shows a lot of logs regarding PIM-5-DRCHG:

001087: Feb 11 03:32:27.746 EST: %PIM-5-DRCHG: DR change from neighbor X.X.X.Z

to X.X.X.W on interface Vlan45 (vrf default)

001088: Feb 11 04:59:53.617 EST: %PIM-5-NBRCHG: neighbor X.X.X.W DOWN on

interface Vlan45 (vrf default) DR

Config for multicast on core routers

=====================================

ip multicast-routing

mls ip multicast flow-stat-timer 9

interface GigabitEthernet2/14

description AC29J01-28 G0/25

switchport

switchport access vlan 45

switchport mode access

no ip address

!

!

interface Loopback1

ip pim sparse-mode

!

interface Vlan45

ip pim sparse-mode

ip pim rp-address X.X.X.X

ip msdp peer X.X.X.Y connect-source Loopback0

ip msdp cache-sa-state

ip msdp originator-id Loopback0

The CPU on these routers reached 99%. THE TWO HIGH PROCESS WERE dhcp REVCEIVE AND IP INPUT.

We are running on the core switch, Catalyst 6509 with SUP 720 running native mode with IOS version 12.2 (18)SXF7.

Any idea how to prevent this in future.

THANKS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
_TDHster_ Tue, 02/13/2007 - 00:55

Need to know what kind of traffic.

Stormcontrol or hard traffic filtering on access port.

tmesbah Thu, 02/15/2007 - 04:13

It was multicast traffic. After looking to client machine "event viewer in Windows XP", I was 1000 of messages regarding the NIC card and these message started at the same time when the we had the problem. These messages were about the NIC UP, NIC negociating to 100Mbps, NIC negociating 1000, NIC negaciating 10, NIC down, .......

The NIC setting in the machine is auto/auto and the same in the switch "Catalyst 2950" were it is connected to.

How a bad NIC a cause "like" a denial of service, the CPU of our router went to 99%.

fyi, multicast router is enabled.

Thanks

_TDHster_ Thu, 02/15/2007 - 23:54

Or with reocmmendation on previous post you may configure stormcontrol multicast with hard limitation on access port to filter near source of this traffic.

mihanlin Thu, 02/15/2007 - 04:29

Hello,

IP input is a generic process which handles process switching of packets. Normally, a 6500 should hardware switch all packets and therefore CPU would not go up.

In this case you had high amount of traffic being sent to the CPU for processing and making the processor run high.

We have a good feature called control plane policing which basically allows you to define a service policy to the control plane. This allows you to 'prioritise' and limit traffic coming into the processor and hence stop this happening again.

The site which explains it in more details is:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html

I hope this helps.

Michael

Cisco TAC

Rahul Narayan Sharma Tue, 06/24/2014 - 02:07

Hi ,

i have got 99% CPU utilization on my distribution switche.

Switch_6509-E#show process cpu sorted
CPU utilization for five seconds: 99%/21%; one minute: 99%; five minutes: 99%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 564    79927284 129968237        614 49.16% 49.43% 49.23%   0 DHCPD Receive    
 276    32843180 185673510        176 21.66% 21.45% 21.61%   0 IP Input         
 502     1124192   5205617        215  1.27%  0.68%  0.64%   0 Port manager per

 

the process DHCPD Receive utilizing total 50% cpu..., after taking the netdr output i found 2 endpoint (voip phone) are culprit.

after removing those endpoint CPU is came to 6% and now switch is stable.

 

can someone please help me understand the Root cause of this issue.

 

Thanks!

RNS

Actions

This Discussion