[工具分享]手把手教你-使用FnF排查CPU高

xupeng · ‎04-19-2015

本帖最后由 xupeng 于 2015-4-19 21:23 编辑

FlexibleNetFlow (FnF)

在NetFlow Cache中,传统的Netflow Fields:

-Source / Destination IPv4 Address

-Source / Destination Port

-IP Protocol Type and ToS

-Input Interface Netflow

FnF Fields:

-Extensive Layer 2 to 7 Fields(eg. IOS-XE 3.10S supports 40 fields)

-IPv4 and IPv6 Ingress or Egress

-Unicast, Multicast and MPLS.

==========

配置FNF

==========

第一步: 配置Flow Record

flow record MYRECORD

descriptioninto_fnf_cache

match ipv4source address

match ipv4destination address

match transportsource-port

match transportdestination-port

match flowdirection

collect counterbytes

collect counterpackets

collect timestampsys-uptime first

collect timestampsys-uptime last

第二步: (可选)配置Flow Export

flow exporter MYEXPORT

descriptionto_netflow_collector

destination10.5.5.24 vrf netflow_vrf

export-protocol netflow-v9

sourceLoopback10

transportudp 2055

第三步:将Record和Flow Monitor关联

flow monitor MYMONITOR

descriptionlink_flow_monitor_and_record

record MYRECORD

exporter MYEXPORT

第四步:在接口下调用

InterfaceGigabitEthernet 0/3/0

...

ip flow monitor MYMONITOR input

ip flow monitor MYMONITOR output

ip flow monitor MYMONITOR unicast

[案例分享]使用FnF排查CPU高

Sup2T# show process cpu sorted

CPU utilization for five seconds: 65%/8%;one minute: 63%; five minutes: 61%

PIDRuntime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

310 30544 189234 81 47.12% 45.11% 45.23% 0 IP Input

//CPU高由于由于'IP input'进程高

在Cat6500 SUP2T上配置:

flow record copp-fnf-cef-in-rec

match ipv4protocol

match ipv4source address

match ipv4destination address

match transportsource-port

match transportdestination-port

collect interfaceinput

collect counterpackets

//配置FnF record, 匹配IPv4 L3和L4参数(关键字段), 收集input interface详细信息和数据包计数器(非关键字段)

flow monitor copp-fnf-cef-in

record copp-fnf-cef-in-rec

//将FnF record关联到flow monitor

control-plane

ip flow monitor copp-fnf-cef-in input

//在control-plane调用

使用FnF监控Control-Plane流量:

Sup2T# show flow monitor copp-fnf-cef-in cache sort counter packet

//根据每个flow的数据包的个数排序. 有些平台没有'sort'关键字.

Processed5 flows

Aggregatedto 5 flows

Showingthe top 5 flows

IPV4SOURCE ADDRESS: 192.168.40.50

IPV4DESTINATION ADDRESS: 192.168.40.1

TRNSSOURCE PORT: 48827

TRNSDESTINATION PORT: 63

IPPROTOCOL: 17

interfaceinput: Vl40

counter packets: 460983

间隔几秒钟时间:

Sup2T# show flow monitor copp-fnf-cef-in cache sort counter packet

IPV4 SOURCE ADDRESS: 192.168.40.50

IPV4DESTINATION ADDRESS: 192.168.40.1

TRNSSOURCE PORT: 48827

TRNS DESTINATION PORT: 63

IPPROTOCOL: 17

interfaceinput: Vl40

counter packets: 461181

//观察到计数器不断增长

定位到数据流信息之后, 可以(1)使用ACL阻止该流量或者(2)在CoPP使用rate-limiting来对数据流进行控制,从而降低CPU利用率.

使用CoPP控制恶意流量:

Sup2T(config)#ipaccess-list extended UDP63

Sup2T(config-ext-nacl)#permitudp host 192.168.40.5 host 192.168.40.1 eq 63

Sup2T(config)#class-mapTEST

Sup2T(config-cmap)#matchaccess-group name UDP63

Sup2T(config)#policy-mappolicy-default-autocopp

Sup2T(config-pmap)#classTEST

Sup2T(config-pmap-c)#policerate 50 pps burst 10 packets

Sup2T# show policy-map control-plane input class TEST

ControlPlane Interface

Service-policyinput: policy-default-autocopp

Hardware Counters:

class-map:TEST (match-all)

Earl inSlot 1:

Earl inSlot 2:

Software Counters:

Sup2T# show process cpu

CPU utilization for five seconds: 10%/8%;

//CPU利用率得到缓解

Luke Huang · ‎04-19-2015

感谢楼主分享

qwe2 · ‎04-19-2015

谢谢楼主分享

taosun2 · ‎04-19-2015

谢谢楼主分享

linchen2 · ‎04-19-2015

再赞一个

Fisheryu · ‎04-19-2015

:P:P:P:P

suzhouxiaoniu · ‎04-19-2015

CPU排错的东西，一个都不能放过，谢谢分享
楼主的东西，我也是一个没放过;P

yingnxu · ‎04-21-2015

严重标题党啊！还是赞起来！

cpmld-199 · ‎04-24-2015

谢谢，学习下，日后工作中备用。

wageng · ‎10-21-2018

旭哥威武，手动点赞。