Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CoPP policy *still* causes high CPU and drops transit tarffic.

Hi,

We are trying to implement a CoPP policy on your edge router, at the moment this is placed in a Lab to test the effects of the policy. I'm sending a large amount of traffic to ports 22, 443 and 80.

 

As a test, I have created a policy which rate limits tcp traffic on port 22, 443 and 80.

 

When we start testing we are still high CPU on the router:

 

Without CoPP:

Edge_RTR#show proc cpu sorted
CPU utilization for five seconds: 99%/86%; one minute: 92%; five minutes: 78%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  83      993468    110823       8964 11.11% 13.12%  7.80%   0 IP Input
  41      327488    641445        510  0.41%  0.84%  1.04%   0 COLLECT STAT COU
  36        4424    858843          5  0.16%  0.02%  0.00%   0 WLAN LED Timers
   4     1055336     57980      18201  0.08%  0.77%  0.82%   0 Check heaps
   2        1924     25761         74  0.08%  0.01%  0.00%   0 Load Meter
  77       11756   3970594          2  0.08%  0.03%  0.03%   0 ACCT Periodic Pr
 193         648    129232          5  0.08%  0.00%  0.00%   0 DHCP Client
   7           0         1          0  0.00%  0.00%  0.00%   0 Crash writer

 

CoPP policy applied:

Edge_RTR#show processes cpu sorted
CPU utilization for five seconds: 95%/92%; one minute: 73%; five minutes: 70%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  83      923992    107295       8611  1.63%  0.99%  4.97%   0 IP Input
  41      322040    640993        502  1.47%  1.16%  1.15%   0 COLLECT STAT COU
  27      419356    229495       1827  0.16%  0.35%  0.32%   0 Net Background
  77       11260   3967937          2  0.16%  0.07%  0.04%   0 ACCT Periodic Pr
 120        4704     10410        451  0.16%  0.11%  0.10%   0 TCP Timer
 121        4448      4538        980  0.08%  0.07%  0.07%   0 TCP Protocols
   6           0         2          0  0.00%  0.00%  0.00%   0 Timers
   5          72       117        615  0.00%  0.00%  0.00%   0 Pool Manager

 

Edge_RTR#show policy-map control-plane
 Control Plane

  Service-policy input: PMAP_CoPP

    Class-map: CMAP_CoPP (match-all)
      165556 packets, 28795230 bytes
      5 minute offered rate 616000 bps, drop rate 612000 bps
      Match: access-group name ACL_CoPP
      police:
          cir 50000 bps, bc 1562 bytes
        conformed 1383 packets, 231750 bytes; actions:
          transmit
        exceeded 164173 packets, 28563480 bytes; actions:
          drop
        conformed 34000 bps, exceed 4094000 bps

    Class-map: class-default (match-any)
      614942 packets, 106927321 bytes
      5 minute offered rate 1769000 bps, drop rate 0 bps
      Match: any
Edge_RTR#

 

From the above we can confirm the CoPP policy is being actioned, and the IP Input process has dropped from 11% to 1% but we are still seeing high CPU from the router, which causes packet drops for traffic going through the router. 

 

Any help would be apperciated, thank you.

John.

 

**************************************************************

Edge_RTR#show running-config
Building configuration...

Current configuration : 2432 bytes
!
! Last configuration change at 09:42:42 BST Sat Aug 23 2014 by Cisco
! NVRAM config last updated at 09:26:43 BST Sat Aug 23 2014 by Cisco
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Edge_RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 20000000
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring 4 Sun Mar 2:00 4 Sun Oct 3:00
!
!
dot11 syslog
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name lab.local
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all CMAP_CoPP
 match access-group name ACL_CoPP
!
!
policy-map PMAP_CoPP
 class CMAP_CoPP
    police 50000 conform-action transmit
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet0
 switchport access vlan 99
 mac-address 001d.7029.4313
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan99
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list ACL_INSIDE interface Vlan99 overload
!
ip access-list standard ACL_INSIDE
 permit 192.168.3.0 0.0.0.255
!
ip access-list extended ACL_CoPP
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any eq www
!
!
!
control-plane host
!
control-plane cef-exception
!
!
control-plane
 service-policy input PMAP_CoPP
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler max-task-time 5000
no scheduler allocate
ntp clock-period 17175062
ntp server 217.114.59.66 source Vlan99
end

*******************************************************

 

 

82
Views
0
Helpful
0
Replies