CPU usage "/tool profile" vs. "/system resources"

Hello,

I have a few RB1100 running full-table BGP (BGP sessions with 7 routers, only IBGP).

I’m doing ~100Mbps traffic currently and I have a few questions about CPU usage:

Question 1: I check the “/system resource”, I see:

[admin@rb1100-1] /system resource> print
… cpu-load: 26%

When I compare this with /tool profile, I get:

[admin@rb1100-1] > /tool profile duration=10
NAME USAGE
ethernet 0.5%
console 0.5%
firewall 4%
winbox 0%
management 1%
idle 86%
profiling 0.5%
queuing 7%
routing 0.5%
unclassified 0%

Where is this difference coming from?

Question 2: I do not use the queuing. But it adds ‘ethernet-default’ to all ethernet interfaces and ‘default’ to all vlan interfaces. Is it possible to disable queuing completely and save the CPU used this way?

Question 3: I only use the firewall to allow SSH and Winbox from some specific IPs, so this is only on the input chain:

/ip firewall filter
add action=accept chain=input disabled=no src-address=ip1
add action=accept chain=input disabled=no src-address=ip2
add action=accept chain=input disabled=no src-address=ip3
add action=accept chain=input disabled=no src-address=ip4
add action=reject chain=input disabled=no dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=no dst-port=22 protocol=tcp reject-with=tcp-reset

Why is the firewall still using 4% CPU when there’s almost no traffic to the box itself, only FORWARD traffic?

Bump. Anybody have any idea regarding any of my questions?

Thanks for your answer, but that does not answer the questions,

1. Why is there an almost 100% difference in output of CPU usage between “/tool profile” and “/system resources”?
2. Can I disable queuing completely? If so, how?
3. Why is the firewall using 4% CPU when there’s only INPUT rules and just a few Kbps of traffic directly to the router?

1. do not know. I would strongly suspect only MT can tell you, from a supout.rif
2. no, you cannot.
3. ‘firewall’ likely includes connection tracking. You may be able to turn that off depending on what your router is used for. http://wiki.mikrotik.com/wiki/Manual:Connection_tracking lists the affected facilities, the most important one to be affected being NAT.

1. Ok, thank you, I’ll contact them.
2. Ok
3. connection tracking is disabled on this device. Any other idea?

Have you checked all the submenus under /ip firewall? Are there any nat or mangle rules, including dynamic ones (tcp mss adjustments on vpn links)?

And where do you see the difference in CPU Usage!?
From /system resource you have 26%
and from /tool profile you have 14%
The idle process taking 86% is just idle, doing nothing.
I wouldn’t agree that this is a office router, it’s very powerfull with 800MHz of CPU
in default, but can reach 1066MHz.

It is always a good idea to activate the graphs, so you can see how the router is performing
along the day, week, month and so on.

Where is this difference coming from?

I agree, there is no difference

This is the entire output:

[admin@rb1100-1] /ip firewall> export
# feb/22/2011 16:20:09 by RouterOS 5.0rc9
# software id = K5SQ-1FFG
#
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=\
    10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no dst-address=xx
add action=accept chain=input disabled=no src-address=xx
add action=accept chain=input disabled=no src-address=xx
add action=accept chain=input disabled=no src-address=xx
add action=accept chain=input disabled=no src-address=xx
add action=reject chain=input disabled=no dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=no dst-port=22 protocol=tcp reject-with=tcp-reset
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@rb1100-1] /ip firewall>

See the attached picture.

profile says 93% idle (so, 7% in use)
resources says 21% in use.

This is a difference of 3 times.

From your attached picture I see CPU Frequency=1199MHz.
Is this a RB1100 or sth else?

As for the difference, could it be that the profiler is calculating the CPU usage
based on the average for a period of time? Just a guess, like in the graphs.

It’s an overclocked RB1100. But clocking it back to 800MHz makes no difference.

As for the difference, could it be that the profiler is calculating the CPU usage
based on the average for a period of time? Just a guess, like in the graphs.

The profiler is consistantly far lower than the total usage given by resources. If I watch it for a minute, profiler is never near or over resources.

In my RB1100 I see the option of overclocking up to 1066MHz, so
I don’t know how you get it to 1199MHz.
Have you activated the graphs? What do they show about the CPU?

I have same problem . There is huge difference between /tools profile and /system resources .
As you see in first image , /system resources shows 90% load for cpu0 but /tools profile shows 42.5% idle !!
in second image /system resources shows 96% load but /tools profile shows 63.5% idle for it !!

I have a rb1200 in a datacenter and was wondering about this despondency that im seeing too. After upgrading to 5.7 from 5.2, overall the router is using much less cpu (i was never maxing out before tho).

This is just a guess, but are these CPUS dual cores maybe? (my RB1200, which i bought a month ago, shows PowerPC 460GT as the CPU and shows CPU count as 1, but that doesnt mean there are not 2 cores).

Overall ive been very happy with the rackmount RB1200, i always though mikrotik needed a solid, powerful LAN only routerboard and it seems they are having success with this product.


tks

No, they are not dual core devices. The first dual core device that we will have, will be RB1100AHx2 (dual core indicated by x2)