High CPU "DHCP receive and IP input process"

tmesbah · ‎02-12-2007

Hi,

Yesterday, a USER MACHINE running windows xp flooded our LAN network. The log in our Core Switches/Routers shows a lot of logs regarding PIM-5-DRCHG:

001087: Feb 11 03:32:27.746 EST: %PIM-5-DRCHG: DR change from neighbor X.X.X.Z

to X.X.X.W on interface Vlan45 (vrf default)

001088: Feb 11 04:59:53.617 EST: %PIM-5-NBRCHG: neighbor X.X.X.W DOWN on

interface Vlan45 (vrf default) DR

Config for multicast on core routers

=====================================

ip multicast-routing

mls ip multicast flow-stat-timer 9

interface GigabitEthernet2/14

description AC29J01-28 G0/25

switchport

switchport access vlan 45

switchport mode access

no ip address

!

interface Loopback1

ip pim sparse-mode

!

interface Vlan45

ip pim sparse-mode

ip pim rp-address X.X.X.X

ip msdp peer X.X.X.Y connect-source Loopback0

ip msdp cache-sa-state

ip msdp originator-id Loopback0

The CPU on these routers reached 99%. THE TWO HIGH PROCESS WERE dhcp REVCEIVE AND IP INPUT.

We are running on the core switch, Catalyst 6509 with SUP 720 running native mode with IOS version 12.2 (18)SXF7.

Any idea how to prevent this in future.

THANKS

_TDHster_ · ‎02-13-2007

Need to know what kind of traffic.

Stormcontrol or hard traffic filtering on access port.

tmesbah · ‎02-15-2007

It was multicast traffic. After looking to client machine "event viewer in Windows XP", I was 1000 of messages regarding the NIC card and these message started at the same time when the we had the problem. These messages were about the NIC UP, NIC negociating to 100Mbps, NIC negociating 1000, NIC negaciating 10, NIC down, .......

The NIC setting in the machine is auto/auto and the same in the switch "Catalyst 2950" were it is connected to.

How a bad NIC a cause "like" a denial of service, the CPU of our router went to 99%.

fyi, multicast router is enabled.

Thanks

_TDHster_ · ‎02-15-2007

Or with reocmmendation on previous post you may configure stormcontrol multicast with hard limitation on access port to filter near source of this traffic.

mihanlin · ‎02-15-2007

Hello,

IP input is a generic process which handles process switching of packets. Normally, a 6500 should hardware switch all packets and therefore CPU would not go up.

In this case you had high amount of traffic being sent to the CPU for processing and making the processor run high.

We have a good feature called control plane policing which basically allows you to define a service policy to the control plane. This allows you to 'prioritise' and limit traffic coming into the processor and hence stop this happening again.

The site which explains it in more details is:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html

I hope this helps.

Michael

Cisco TAC

Rahul Narayan Sharma · ‎06-24-2014

Hi ,

i have got 99% CPU utilization on my distribution switche.

Switch_6509-E#show process cpu sorted
CPU utilization for five seconds: 99%/21%; one minute: 99%; five minutes: 99%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
564    79927284 129968237        614 49.16% 49.43% 49.23%   0 DHCPD Receive
276    32843180 185673510        176 21.66% 21.45% 21.61%   0 IP Input
502     1124192   5205617        215 1.27% 0.68% 0.64%   0 Port manager per

the process DHCPD Receive utilizing total 50% cpu..., after taking the netdr output i found 2 endpoint (voip phone) are culprit.

after removing those endpoint CPU is came to 6% and now switch is stable.

can someone please help me understand the Root cause of this issue.

Thanks!

RNS

haulaian · ‎04-17-2018

When you have an ip helper configured on an SVI/L3 interface and some user is flooding DHCP discover messages, they will be punted to the CPU for processing (since the switch will need to generate the packet as a unicast DHCP). when that user doesn't get an ip or stop flooding the discover messages then you will see this process utilizing the CPU.

in some instances it could be a user being faulty, or a bug on the switch where the IP helper is not passing on the DHCP packets to the server (maybe non existing DHCP server?).