Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

A Server Killing the CPU of a 6509 Switch

HI all,

Thanks for reading this in the first place.

We are a hosting provider with over 600 dedicated servers.

We have 2x6509 Switches in the Core Network, and every single server has statically routed subnets to Interfaces Vlan. (SVI's)

- All ports on the switch have an ACL configured to allow traffic from ONLY certain subnets and to deny other types of packets.

- All ports on the switch are configured with port-security, only allowing 100 MAC Addresses per port. This is because we have clients hosting VPS's.

- The port-security mode is shutdown, and it reactivates after 60 seconds.

THIS IS THE ACL CONFIGURED ON EVERY PORT ON THE SWITCH.

Extended IP access list INTERNALDEFENSE

    10 deny tcp any any fragments

    11 deny gre any any

    20 deny udp any any fragments

    30 deny icmp any any fragments

    40 deny ip any any fragments

    50 deny icmp any any redirect log

    60 deny icmp any any mask-request log

    70 permit ip 46.19.136.64 0.0.0.63 any

    71 permit ip 179.43.0.0 0.0.255.255 any (209 matches)

    80 permit ip 46.19.136.128 0.0.0.127 any

    90 permit ip 46.19.137.0 0.0.0.255 any (48501 matches)

    100 permit ip 46.19.138.0 0.0.0.255 any (5654 matches)

    101 permit ip 185.12.44.0 0.0.3.255 any (39831 matches)

    102 permit ip 154.57.64.0 0.0.15.255 any (21040 matches)

    110 permit ip 46.19.139.0 0.0.0.255 any (278 matches)

    120 permit ip 46.19.140.0 0.0.0.255 any (11451 matches)

    130 permit ip 46.19.141.0 0.0.0.255 any (3123363 matches)

    140 permit ip 46.19.143.0 0.0.0.255 any

    150 permit ip 31.7.56.0 0.0.7.255 any (10365564 matches)

    160 permit ip 81.17.16.0 0.0.15.255 any (2395368 matches)

    170 permit ip 31.44.189.0 0.0.0.255 any

    180 permit ip 141.255.160.128 0.0.0.127 any

    190 permit ip 141.255.161.0 0.0.0.255 any (295833 matches)

    200 permit ip 141.255.162.0 0.0.0.255 any

    210 permit ip 141.255.163.0 0.0.0.255 any (1009 matches)

    220 permit ip 141.255.164.0 0.0.0.255 any (264641 matches)

    230 permit ip 141.255.165.0 0.0.0.255 any

    240 permit ip 141.255.166.0 0.0.0.255 any

    250 permit ip 141.255.167.0 0.0.0.255 any

    260 deny ip any any (296 matches)

THIS IS THE CONFIGURATION OF THE PORT ITSELF.

interface GigabitEthernet0/1

switchport access vlan 101

switchport mode access

switchport nonegotiate

switchport port-security maximum 100

switchport port-security

switchport port-security mac-address sticky

ip access-group INTERNALDEFENSE in

shutdown

speed 1000

duplex full

no cdp enable

end

Today we had a MAJOR issue, where a single server was able to cause 100% of CPU utilization in one of the 6509 Switches.

I have ran the SHOW PROC CPU command DURING the event, and AFTER the event.

I realized this was the server issue, because of an event in the monitoring system, BUT i cant tell why, and HOW this server is able to do this.

I have posted the details of the BEFORE AND AFTER command results so if someone out there has experience with this, can probably provide some insight on this.

Thanks in advance.

Ezequiel Pineda

133
Views
0
Helpful
0
Replies
CreatePlease to create content