Solved: Re: Input errors and Flush errors

vyas.nilay · ‎10-19-2020

Hi,

My internet router interface is getting lot of flush and input errors. There is no drops and bandwdith is not reaching to the max which is 500 Mbps.

Can anyone please guide me the way forward?

GigabitEthernet0/2 is up, line protocol is up
MTU 1500 bytes, BW 500000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 24/255, rxload 45/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 1y48w
Input queue: 0/75/0/25559 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/1000/0 (size/max total/drops)
30 second input rate 88878000 bits/sec, 14915 packets/sec
30 second output rate 47842000 bits/sec, 9490 packets/sec
2226433195 packets input, 811461816 bytes, 0 no buffer
Received 2065957 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
514469275 input errors, 0 CRC, 0 frame, 514469275 overrun, 0 ignored
0 watchdog, 2015475 multicast, 0 pause input
4007073347 packets output, 748372088 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
2015475 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

--------------

Cisco CISCO2921/K9 (revision 1.0) with 487424K/36864K bytes of memory

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

uptime is 6 years, 6 weeks, 4 days, 22 hours, 56 minutes
System returned to ROM by power-on
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M6.bin"
Last reload type: Normal Reload
Last reload reason: power-on

-----------------------------------------------

interface GigabitEthernet0/2

bandwidth 500000
ip vrf forwarding Intneret
IP address << ommited>>

ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
duplex full
speed 1000
no cdp enable
service-policy output wan_out_500M
end

----------------------

Extended IP access list 111
10 deny 53 any any
20 deny 55 any any
30 deny 77 any any
40 deny pim any any (3 matches)
50 deny ip 10.0.0.0 0.255.255.255 any (64295 matches)
60 deny ip 127.0.0.0 0.255.255.255 any (1 match)
70 deny ip 172.16.0.0 0.15.255.255 any (10567 matches)
80 deny ip 192.168.0.0 0.0.255.255 any (14979 matches)
90 deny ip 192.161.128.0 0.0.0.255 any
100 deny ip 192.0.2.0 0.0.0.255 any
120 deny udp any any eq snmp (442209 matches)
130 deny udp any any eq snmptrap (7564 matches)
140 permit ip any any (1983417667 matches)

-----------------------------------------------

Policy Map wan_out_500M
Class class-default
Average Rate Traffic Shaping
cir 499872000 (bps) bc 1999488 (bits) be 0 (bits)
queue-limit 5000 packets

Service-policy output: wan_out_500M

Class-map: class-default (match-any)
227347888973 packets, 217216065368423 bytes
30 second offered rate 46131000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 5000 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 227347887305/217216064390060
shape (average) cir 499872000, bc 1999488, be 0
target shape rate 499872000

Thank you,

Nilay Vyas.

balaji.bandi · ‎10-20-2020

Cisco CISCO2921/K9 - i wont believe this model support kind of throughput you looking to achieve, so you need to upgrade this router.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Leo Laohoo · ‎10-19-2020

2921 is not meant to support >100 Mbps.

4451/4461 is ideally suited for >500 Mbps.

Cisco 4000 Family Integrated Services Router

balaji.bandi · ‎10-20-2020

Cisco CISCO2921/K9 - i wont believe this model support kind of throughput you looking to achieve, so you need to upgrade this router.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎10-20-2020

Hello.

--> uptime is 6 years, 6 weeks, 4 days, 22 hours, 56 minutes

The first thing I would do is reboot the router. 6 years of uptime is massive.

Also, post the full running configuration of the router (sh run).

Joseph W. Doherty · ‎10-20-2020

Cisco only recommends as 2921 for up to 50 Mbps WAN (i.e. duplex) links. So, although the 2921 can do more, sometimes much more, your fundamental problem is, the 2921 cannot handle ingress gig bursts, hence the flushes and overrun errors.

A couple of things that might help include increasing the g0/2's in queue (a lot) and do anything possible to reduce processing load, especially on the ingress traffic.

For example, what might be done to "improve" ACL 111 or do you even really need it? (My questioning whether you really need is because I wonder if you might have a FW behind the router. If not, can the next inline device do this ACL?)

Or, perhaps something like "ip verify unicast reverse-path" might be used on this interface, although I'm unsure it's more "efficient" than the ACL.

If you do keep the ACL, at least you can do the "old" place ACL's ACEs, where logic allows, in descending "hit" count sequence.

Enabling "compiled ACLs" might also help, but don't think that's a feature on your 2921.

vyas.nilay · ‎10-21-2020

I found a WS-C3850-24T.. external DMZ in the network.. I will create interent VRF and terminate the connection on that switch.

I think this should do the trick.

Thank you every one for your help and support.

Nilay Vyas.