Hi,
Ive deployed a CCR2216-1G-12XS-2XQ recently in my network and using it as a edge router for customers with high BW requirements like 5 Gbps to 15 Gbps. The purpose of deploying this was to cater clients which do not require any fancy routing (BGP for example) and only require us to provide them a P2P IP on a VLAN and route a static public IP pool towards them so that they can use internet. I have configured around 9 customers on this CCR this way. Ive applied traffic shaping for each customer using the firewall->filter rules using the “Extra->Limit” option since all customers range in between 5 Gbps to 15 Gbps since I dont think simple queues will be able to handle the stress. Plus this is less CPU hungry in my experience. Ive connected this CCR’s 1 XQ interface to my core router from where the internet is accessible and the 2nd XQ interface to a switch where al customers are aggregated on VLANs and transported to the CCR on this port via trunk. Both the XQ interfaces have 40G SFPs installed instead of 100G. The aggregate traffic on this CCR is only around 30 Gbps but somehow this CCR has its CPU utilization at 75-80% (with l3hw offloading enabled) which is scaring me. If i disable the l3hw offload, the CPU utilization jumps to 90%. In order to check what is causing the high CPU utilization, and found that networking is taking up 23% of the CPU. There is no BGP running on this CCR, no connection tracking enabled. Just OSPF enabled for the core router connectivity and that’s it. Im not sure if I have made wise investment on this CCR as I was hoping I can shift all my high capacity customers on to it but the way its CPU is behaving, I’m scared to put on load. The OS version right now on it is 7.14.1. Can anyone guide and share their feedback on this or if they have observed same behavior in such an environment?
Its not fully l3hw offloaded if you are directing traffic to the firewall filter rules.
Users must choose either HW-accelerated routing or firewall. Firewall rules get processed by the CPU
Perform rate limiting on the customer facing switch and ensure that the bridge & vlans are setup properly on the 2216 and all ports have l3hw offload enabled. If its truly offloaded it wont be hitting your 2216 firewall and you will see no impact to cpu for traffic. I can tap out my 2116 with no cpu impact with everything offloaded properly.
Hi,
I cannot perform rate limiting on customer facing switch. The purpose to deploy the CCR2216 was to perform rate limiting on the SVI of each customer in CCR. The customer facing switch is a Nexus 3K which is not efficient in performing rate limiting on VLANs. If there is no capping involved, may be the CPU will not go that high but since capping is to be done, what other option do i have to make the CCR work a bit less CPU hungry?
Hi,
Just to update on this, I re-configured the CCR with physical interface and the WAN and customer VLANs on a bridge. Tagged the VLANs on the bridge and physical interface. And configured the rest as done before, P2P IP on each customer VLAN with static routing of public pools towards respective customer P2P IP. Traffic shaping done using same Firewall filter rule. But the CPU has still not improved. In order to further check this, when I enabled L3 Hw Offloading in “Switch->Switch1”, the CPU came down to near 0% but with 2 downsides:
- Before enabling L3 Hw Offloading, since all customers have separate VLANs and we have VLAN interfaces to check traffic, we map each customer VLAN interface to graph the traffic utilized by them. After enabling L3 Hw Offloading, customers remained running but the traffic disappeared from interface VLANs of the customer like a 4G utilizing customer traffic came down to 170 Kbps. Note that the customer was still running and utilizing the 4G traffic.
- After enabling L3 Hw Offloading, the firewall->filter rules using the “Extra->Limit” option is not working since no traffic is going towards it and customers are running uncapped.
What i missing? Please help.
can you share your config?
This high CPU usage does not really make any sense and what I could gather from the info you provided the setup is quite simple
/export hide-sensitive