We have 7200 VXR with npe-g2 processor.We've 150 branches connected on ATM and QoS with NBAR for voice on it.When traffic rates goes up so our CPU util approxly %70. What could be a problem with services ? is it any fine tunning for this ?
I would beg to differ a little bit over here. In my opinion, NBAR works pretty well for light traffic loads (around 50Mbps) and I doubt it would be suitable for any WAN Agregation levels, reason being the CPU utilization/hogging (NBAR requires Deep Packet Inspection) that might take place in high load conditions such as the case presented by you.
As Wilson documents, NBAR protocol matching can impact performance, although not all NBAR's protocols matching impact is the same. Much would depend on how deeply a particular NBAR match needs to examine a packet and whether it keeps state information for it. (I.e. some NBAR is nothing more than port based matching with a "pretty face". The reference Wilson provided used a mix of traffic types. The documented performance would likely change with a change in the traffic content and/or perhaps with different sequence of match statements.)
Depending on the nature of your traffic, it's possible an ACL might introduce less overhead for equivalent matching.
The Turbo ACL feature is most useful when you have extensive ACLs, since I believe it reduces the impact of ACL sequence processing. (It's also very easy to activate with the "access-list compiled" command, if it's supported on your IOS.)
Similar to typical ACLs, NBAR matching performance impact might be decreased by careful ordering of match statements and/or perhaps by netflow caching.
Something else to consider, can the voice (or any other) traffic be classified and tagged before getting to the 7200? If you could trust VoIP markings, you might then only need to look at the ToS octet to identify them.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...