cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7879
Views
15
Helpful
18
Replies

QoS causing router CPU utilization to rise

Angelo ANELLO
Level 1
Level 1

Hi Guys,

     We have recently implemented some QoS on our routers and i have noticed that the CPU usage has risen enormously as a result.  Can someone advise if this is normal?

I checked the CPU Processes and found that the avg values are 50% usage.  This seems rather high considering that only 75% of our edge routers have this feature enabled. 

Our main router is a Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.  Our edge routers are either 2801 models or 881 models.

This is our first implementation of QoS and would like to ensure that it is working properly before implementing other QoS rules.  Here is a copy of the config on the 2911 router:

class-map match-all Citrix

match protocol citrix

class-map match-all Print

match protocol printer

class-map match-all C-Coolingata

match access-group name Coolingata

class-map match-all C-Hawthorn

match access-group name Hawthorn

class-map match-all C-MonaVale

match access-group name MonaVale

!

!

policy-map Shape2M

class Citrix

  priority percent 80

  set dscp af41

class Print

  bandwidth remaining percent 20

  set dscp af11

  random-detect

class class-default

  bandwidth remaining percent 80

  random-detect

policy-map Global

class C-Hawthorn

  shape average 2048000

  service-policy Shape2M

class C-MonaVale

  shape average 2048000

  service-policy Shape2M

class C-Coolingata

  shape average 2048000

  service-policy Shape2M

policy-map Shape4M

class Citrix

  priority percent 80

  set dscp af41

class Print

  bandwidth remaining percent 20

  set dscp af11

  random-detect

class class-default

  bandwidth remaining percent 80

  random-detect

policy-map Shape1M

class Citrix

  priority percent 80

  set dscp af41

class Print

  bandwidth remaining percent 20

  set dscp af11

  random-detect

class class-default

  bandwidth remaining percent 80

  random-detect

ip access-list extended Coolingata

permit ip any 192.168.65.0 0.0.0.255

ip access-list extended Hawthorn

permit ip any 192.168.76.0 0.0.0.255

ip access-list extended MonaVale

permit ip any 192.168.34.0 0.0.0.255

int LAN0

   ip nbar protocol-discovery

int WAN

   service-policy output Global

Here is the config on our edge routers:

class-map match-any Citrix

match access-group name Citrix-ACL

policy-map WAN

class Citrix

  priority percent 80

  set dscp af41

class class-default

  bandwidth remaining percent 100

  random detect OR fair queue (dependant on router type)

policy-map Global

class class-default

  shape average 20480000 (number equal to the link speed)

  service-policy WAN

ip access-list extended Citrix-ACL

permit tcp any 192.168.1.0 0.0.0.255 eq 1494

permit tcp any 192.168.1.0 0.0.0.255 eq 1604

int WAN

  service-policy output Global

As you can see we have different link speeds at different sites based on their size, location etc.

Can anyone see any issues or be able to confirm that this config is correct?

Your help is appreciated

Regards,

18 Replies 18

What command you suggest instead WRED?

2821 seems EoL so IOS is latest available: c2800nm-advipservicesk9-mz.151-4.M7.bin

Just checked: 22% and 1 Mbps the whole night. IP Input 2%.

NAT with 5000 translations, bunch of Tunnels, NetFlow.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"What command you suggest instead WRED?"

Per class FQ.

"bunch of tunnels" . . . 

How many is a bunch?  Running a dynamic routing protocol over them?  Maybe control plane usage from that?  This might be the type of question you would need to persue with TAC.

Thanks for reminding me about tunnels. Did some RTFM:

http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/10106-qos-tunnel.html

The qos pre-classify command can be used in order to classify traffic based on values other than IP precedence or DSCP.

You're right (as always). I removed "qos pre-classify" as excessive.

I shape egress traffic from Branch to HQ on physical interface. Traffic going to tunnel was already marked with DSCP and tags are cloned to IPSec packets.

I catch it on HQ side and skip unneeded classification, that preserves some CPU:

class-map match-any Marked
 match protocol ipsec <- should I use "match access group (permit esp any any)"?
 match not  dscp default

policy-map Mark <- WAN&LAN combined input policy
 class Marked
 class Mark_Scavenger
  set dscp cs1
 class Mark_Streaming_Video
  set dscp cs4

<...>

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"You're right (as always)."  Laugh - alas, not always.  If fact, there was the time I thought I made a mistake, but I was mistaken.  ;)

"match protocol ipsec <- should i replace it with match access group (TCP 500)?"

Hard to say.  NBAR is sometimes no more than a pretty face on an ACL, and as such, shouldn't use any more CPU but it's a little clearer in the config what you're matching.  (Somewhat similar where some IOS vesions will substitute service names for port numbers within ACLs, e.g. WWW for 80.)

Some NBAR does examine deeper than a port number, but sometimes that's important to truly identify the traffic you want.