Cisco 4510 High CPU due to ARP Input

83881463a · ‎11-16-2017

Hello all,

I am facing this issue in my client.

In business hours, every 30 minutes, the CPU increases to 99%-100% due to ARP Input process. Initially, it was the ARP snoop process, but we disable "ip device tracking" functionality from all the interfaces and this problem disappear but the other one arises.

The problem is that some clients lose connectivity during this high CPU moment and it provokes that the application they are running freezes.

We have configured authentication through ISE in the interfaces, if we desconfigured it, the problem of losing connectivity is solved; but we want to keep the authentication and I can find where the problem is.

Any suggestion?

The switch is in VSS mode with Cisco 4510 sup8, version IOS-XE 03.06.07.

Thank you in advance.

Reza Sharifi · ‎11-17-2017

Hi,

Can you post the ISE config on the switch?

Are you using an external device as your ISE server or the switch?

HTH

83881463a · ‎11-17-2017

Hello Reza,

here is the configuration:

- Global:

aaa group server radius ISE
server 10.10.10.1 auth-port 1812 acct-port 1813
server 10.10.10.2 auth-port 1812 acct-port 1813
aaa authentication dot1x default group ISE
aaa authorization config-commands
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE

aaa accounting send stop-record authentication failure vrf default
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE

aaa server radius dynamic-author
client 10.10.10.1 server-key 7 014224291524140E2F4B1D
client 10.10.10.2 server-key 7 075E036100260B04191558

ip port-map http port 8080

epm logging

dot1x system-auth-control

ip http server
ip http port 8080
ip http secure-server

ip access-list extended ACL-ALLOW
permit ip any any

snmp-server host 10.10.10.1 version 2c XXXXXXXX
snmp-server host 10.10.10.2 version 2c XXXXXXXX

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server host 10.10.10.2 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server timeout 2
radius-server vsa send accounting
radius-server vsa send authentication

mac address-table notification change
mac address-table notification mac-move

- Interface:

interface GigabitEthernetX/Y/Z
switchport access vlan X
switchport mode access
switchport voice vlan Y
ip device tracking maximum 0
ip access-group ACL-ALLOW in
logging event link-status
logging event trunk-status
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

I don't understand the question about using a external device as our ISE server. The Radius server is a Cisco ISE and the authentications go directly to it.

Hope this helps