02-12-2007 09:12 AM - edited 03-05-2019 02:18 PM
Hi,
Yesterday, a USER MACHINE running windows xp flooded our LAN network. The log in our Core Switches/Routers shows a lot of logs regarding PIM-5-DRCHG:
001087: Feb 11 03:32:27.746 EST: %PIM-5-DRCHG: DR change from neighbor X.X.X.Z
to X.X.X.W on interface Vlan45 (vrf default)
001088: Feb 11 04:59:53.617 EST: %PIM-5-NBRCHG: neighbor X.X.X.W DOWN on
interface Vlan45 (vrf default) DR
Config for multicast on core routers
=====================================
ip multicast-routing
mls ip multicast flow-stat-timer 9
interface GigabitEthernet2/14
description AC29J01-28 G0/25
switchport
switchport access vlan 45
switchport mode access
no ip address
!
!
interface Loopback1
ip pim sparse-mode
!
interface Vlan45
ip pim sparse-mode
ip pim rp-address X.X.X.X
ip msdp peer X.X.X.Y connect-source Loopback0
ip msdp cache-sa-state
ip msdp originator-id Loopback0
The CPU on these routers reached 99%. THE TWO HIGH PROCESS WERE dhcp REVCEIVE AND IP INPUT.
We are running on the core switch, Catalyst 6509 with SUP 720 running native mode with IOS version 12.2 (18)SXF7.
Any idea how to prevent this in future.
THANKS
02-13-2007 12:55 AM
Need to know what kind of traffic.
Stormcontrol or hard traffic filtering on access port.
02-15-2007 04:13 AM
It was multicast traffic. After looking to client machine "event viewer in Windows XP", I was 1000 of messages regarding the NIC card and these message started at the same time when the we had the problem. These messages were about the NIC UP, NIC negociating to 100Mbps, NIC negociating 1000, NIC negaciating 10, NIC down, .......
The NIC setting in the machine is auto/auto and the same in the switch "Catalyst 2950" were it is connected to.
How a bad NIC a cause "like" a denial of service, the CPU of our router went to 99%.
fyi, multicast router is enabled.
Thanks
02-15-2007 11:54 PM
Or with reocmmendation on previous post you may configure stormcontrol multicast with hard limitation on access port to filter near source of this traffic.
02-15-2007 04:29 AM
Hello,
IP input is a generic process which handles process switching of packets. Normally, a 6500 should hardware switch all packets and therefore CPU would not go up.
In this case you had high amount of traffic being sent to the CPU for processing and making the processor run high.
We have a good feature called control plane policing which basically allows you to define a service policy to the control plane. This allows you to 'prioritise' and limit traffic coming into the processor and hence stop this happening again.
The site which explains it in more details is:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
I hope this helps.
Michael
Cisco TAC
06-24-2014 02:07 AM
Hi ,
i have got 99% CPU utilization on my distribution switche.
Switch_6509-E#show process cpu sorted
CPU utilization for five seconds: 99%/21%; one minute: 99%; five minutes: 99%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
564 79927284 129968237 614 49.16% 49.43% 49.23% 0 DHCPD Receive
276 32843180 185673510 176 21.66% 21.45% 21.61% 0 IP Input
502 1124192 5205617 215 1.27% 0.68% 0.64% 0 Port manager per
the process DHCPD Receive utilizing total 50% cpu..., after taking the netdr output i found 2 endpoint (voip phone) are culprit.
after removing those endpoint CPU is came to 6% and now switch is stable.
can someone please help me understand the Root cause of this issue.
Thanks!
RNS
04-17-2018 01:59 AM
When you have an ip helper configured on an SVI/L3 interface and some user is flooding DHCP discover messages, they will be punted to the CPU for processing (since the switch will need to generate the packet as a unicast DHCP). when that user doesn't get an ip or stop flooding the discover messages then you will see this process utilizing the CPU.
in some instances it could be a user being faulty, or a bug on the switch where the IP helper is not passing on the DHCP packets to the server (maybe non existing DHCP server?).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: