NetFlow v9 cause high CPU on 2911

johnlloyd_13 · ‎10-29-2019

hi,

we recently enabled netflow for our arbor DDOS mitigation on our internet gw.

we're getting constant alerts for high CPU after it was enabled.

the high CPU spikes only happens on a 2911 but not on our ASR1K.

2911#sh proc cpu sort

CPU utilization for five seconds: 91%/88%; one minute: 59%; five minutes: 66%
PID Runtime(uS) Invoked uSecs 5Sec 1Min 5Min TTY Process
11 4072251936 2434280 61662 1.28% 0.15% 0.07% 0 Licensing Auto U
5 2238489856 19808645 3148 0.80% 0.09% 0.06% 0 Check heaps
114 1889036448 541061350 98 0.24% 0.16% 0.15% 0 IP Input
201 382570816 129755784 135 0.16% 0.06% 0.06% 0 TPLUS

<SNIP>

2911#sh proc cpu sort | ex 0.00
CPU utilization for five seconds: 54%/53%; one minute: 61%; five minutes: 65%
PID Runtime(uS) Invoked uSecs 5Sec 1Min 5Min TTY Process
278 932000 218 4275 0.39% 0.55% 0.13% 391 SSH Process
114 1890060448 541063569 98 0.31% 0.22% 0.18% 0 IP Input
273 3253365632 145028088 259 0.07% 0.06% 0.06% 0 SNMP ENGINE
271 2208534816 289845438 66 0.07% 0.04% 0.04% 0 IP SNMP
201 382878816 129756272 135 0.07% 0.06% 0.06% 0 TPLUS
23 1044000 513 2035 0.07% 0.06% 0.06% 388 SSH Process

1) is the 2911 capable of handling netflow?
interface GigabitEthernet0/1
description ### ISP WAN ###
bandwidth 100000
ip address <IP> 255.255.255.252
ip flow monitor NETFLOW sampler sampler-1-in-1000 input

2) can i tweak the sampling rate to "lower" down the CPU?

sampler SAMPLER-1-in-1000
mode random 1 out-of 1000

3) do i need to upgrade the IOS? or upgrade the HW to an ASR?

2911#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)

Georg Pauwen · ‎10-30-2019

Hello,

your IOS (as you have indicated yourself) is rather outdated, try and upgrade to 15.7.3M5 MD.

That's not a guarantee that v9 will max out your CPU, as the 2911 is less powerful than the ASR1K. Is using the 'old' ip flow-export an option at all ?