Got it
Enterprise
Community Forums Switches
IGMP CPU-Defend - Issue

IGMP CPU-Defend - Issue

Created: Nov 10, 2019 00:46:33Latest reply: Dec 19, 2019 14:38:32 2322 14 0 0
  Rewarded HiCoins: 0 (problem resolved)
display all floors #1

Hello Guys,


I've been working on Switch S5720 as a PE switch, providing multicast service to our clients, that network is set up with PIM protocol.

So, a few days I've noticed that the cpu is quit high and some breakdown in this service, and the streaming sometimes stop being transmitted for few seconds.

In this case I tried to set up car cir to igmp protocol and change the default option to 256 until 1024, also the auto-port-defend option, but without successful, nonetheless, I still can see the message below pulled up on logbuffer;


%%01DEFD/4/CPCAR_DROP_LPU(l)[5]:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 0. (Protocol=igmp, CIR/CBS=512/96256, ExceededPacketCount=439)

%01DEFD/4/CPCAR_DROP_MPU(l)[6]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=igmp, CIR/CBS=256/48128, ExceededPacketCount=29113)

%%01SECE/3/QUEUE_DROP(l)[7]:Rate of packets to cpu exceeded the QUEUE limit. (SlotId=0, Queue0DropNumber=0, Queue1DropNumber=251, Queue2DropNumber=0, Queue3DropNumber=11969, Queue4DropNumber=0, Queue5DropNumber=0, Queue6DropNumber=0, Queue7DropNumber=0)


And then,  I still can see the issue on the screen, such as black screen caused by traffic stopped for couple seconds.


Does anyone have any ideia to solve that question on IGMP traffic?

igmpHigh CPUdefend
  • x
  • convention:

I have this problem too (0) Favorite(0) Share Report
Previous: Port type hybrid
Next: Switch S5720-SI interface getting output errors and discord the packets.
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Nov 12, 2019 01:26:07 Helpful(0) Helpful(0)

@welisson_br well, if you confirm that the high cpu usage is caused by the massive igmp join/leave packets, this is a normal scene, you are kindly advised to check if there are too many multicast users connected to the switch? Also, you can optimize the network.
View more
  • x
  • convention:

welisson_br
welisson_br Created Nov 12, 2019 14:29:08
Hi Chenhui,

Yep I have almost 2k multicast users connected on this switch.

I really haven't found any place informed about the real limit this switch about multicast stream. have you?

Cheers  
All Answers
DDSN
DDSN Admin Created Nov 10, 2019 02:19:01 Helpful(0) Helpful(0)

1.Run the auto-defend enable command to configure attack source tracing. If a possible attack source is detected, check on the network to determine whether it is a real attack source.
2.If a real attack source exists, run the blacklist command to add the attack source to the blacklist or run the auto-defend action command to configure a punish action for the attack source. If no attack source exists, run the car command to increase the CPCAR value properly.
NOTE:Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.
View more
  • x
  • convention:

welisson_br
welisson_br Created Nov 10, 2019 15:13:52
Hi DDSN,

I  
welisson_br
welisson_br Created Nov 10, 2019 15:16:45
Hi DDSN,

I've already done it as you can see below;

cpu-defend policy igmpdefend
car packet-type igmp cir 512
auto-port-defend protocol igmp threshold 256

>dis cu | include cpu-defen
cpu-defend policy igmpdefend
cpu-defend-policy igmpdefend global

Although doing that the issues still persist.

Cheers,  
chenhui
chenhui Admin Created Nov 11, 2019 02:04:01 Helpful(0) Helpful(0)

@welisson_br hello,
from your description, it seems the massive IGMP join/leave messages coursed the high CPU usage.
you are kindly advised to check if there is any network loops in the network.
View more
  • x
  • convention:

welisson_br
welisson_br Created Nov 11, 2019 21:07:20
Hi Chenhui.

Actually not, in this case that massive igmp/leave is caused by clients wich are getting in/out on the multicast group.  
welisson_br
welisson_br Reply welisson_br  Created Nov 11, 2019 21:07:53
*igmp join/leave  
welisson_br
welisson_br Reply welisson_br  Created Nov 11, 2019 21:45:44
Also, there is igmp report massive.  
chenhui
chenhui Admin Created Nov 12, 2019 01:26:07 Helpful(0) Helpful(0)

@welisson_br well, if you confirm that the high cpu usage is caused by the massive igmp join/leave packets, this is a normal scene, you are kindly advised to check if there are too many multicast users connected to the switch? Also, you can optimize the network.
View more
  • x
  • convention:

welisson_br
welisson_br Created Nov 12, 2019 14:29:08
Hi Chenhui,

Yep I have almost 2k multicast users connected on this switch.

I really haven't found any place informed about the real limit this switch about multicast stream. have you?

Cheers  
WheatGrass
WheatGrass Created Nov 12, 2019 09:15:40 Helpful(0) Helpful(0)

 DEFD/4/CPCAR_DROP_LPU


Message

DEFD/4/CPCAR_DROP_LPU:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot [STRING]. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])

Description

The rate of packets delivered to the CPU exceeds the CPCAR limit on the specified device.

Parameters

Parameter NameParameter Meaning
slot

  • Specifies the slot ID if stacking is not configured.

  • Specifies the stack ID if stacking is configured.

ProtocolIndicates the protocol type.
CIR/CBSIndicates the committed information rate and committed burst size.
ExceededPacketCountSpecifies the number of packets whose rate exceeds the CPCAR.

Possible Causes

The rate of packets sent to the CPU of the specified device exceeds the CPCAR.

Procedure

  1. Run the auto-defend enable command to configure attack source tracing. If a possible attack source is detected, check on the network to determine whether it is a real attack source.

  2. If a real attack source exists, run the blacklist command to add the attack source to the blacklist or run the auto-defend action command to configure a punish action for the attack source. If no attack source exists, run the car (attack defense policy view) command to increase the CPCAR value properly.

     

    notice_3.0-en-us.png

    Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.




____________________________________________________________________________________________________________________________________


DEFD/4/CPCAR_DROP_MPU

Message

DEFD/4/CPCAR_DROP_MPU:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])

Description

The rate of packets delivered to the CPU exceeds the CPCAR limit.

Parameters

Parameter NameParameter Meaning
ProtocolIndicates the protocol type.
CIR/CBSIndicates the committed information rate and committed burst size.
ExceededPacketCountIndicates the number of packets whose rate exceeds the CPCAR.

Possible Causes

The rate of packets delivered to the CPU exceeded the CPCAR limit. As a result, some packets are discarded.

Procedure

  1. Control the rate of packets delivered to the CPU within the CPCAR limit, or run the car packet-type packet-type cir cir-value [ cbs cbs-value ] command to configure a proper CPCAR limit.

     

    notice_3.0-en-us.png

    Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.

____________________________________________________________________________________________________________________________________


SECE/3/QUEUE_DROP

Message

SECE/3/QUEUE_DROP: Rate of packets to cpu exceeded the QUEUE limit. (SlotId=[STRING], Queue0DropNumber=[STRING], Queue1DropNumber=[STRING], Queue2DropNumber=[STRING], Queue3DropNumber=[STRING], Queue4DropNumber=[STRING], Queue5DropNumber=[STRING], Queue6DropNumber=[STRING], Queue7DropNumber=[STRING])

Description

Some packets in queues sent to the CPU were dropped.

Parameters

Parameter NameParameter Meaning

SlotId

  • On a standalone switch, it specifies a slot ID.

  • On a stacked switch, it specifies a stack ID.

Queue0DropNumber/Queue1DropNumber/Queue2DropNumber/Queue3DropNumber/Queue4DropNumber/Queue5DropNumber/Queue6DropNumber/Queue7DropNumber

Indicates the number of packets dropped in every 10 minutes in queues 0 to 7.

Possible Causes

A large CPCAR value was set for packets to be sent to the CPU. As a result, a large number of packets were sent to the CPU.

Procedure

  1. Run the display cpu-defend configuration slot slot-id command to check whether the CPCAR value configured for each type of protocol packets is correct. The default CPCAR value is recommended.

  2. Collect log information and configuration information, and then contact technical support personnel.You can collect diagnostic information using the display diagnostic-information command.


View more
  • x
  • convention:

welisson_br
welisson_br Created Nov 12, 2019 14:55:03
I did that configuration on CPCAR, and auto-defend, including set up whitelist with my range ip address allowed to make igmp query/join/report and so on, but not successful. So, increasing igmp values on cpcar more than 256 the switchs starts working not so good, where the access become quite slowly and the latency ahead it. is quite high as well, for sure the cpu get over 50% having peaks 80% when increased the cpcar over 256.
I'm wondering is this switch can deal with a large multicast flow?  
welisson_br
welisson_br Created Nov 12, 2019 21:08:25 Helpful(0) Helpful(0)

One question I've been wondering about that situation, Is there some limitation on that switch model when we talk about traffic igmp/multicast (heavy traffic)?
Does anyone from Huawei who can answer me, pls?
View more
  • x
  • convention:
chenhui
chenhui Admin Created Nov 13, 2019 00:58:47 Helpful(0) Helpful(0)

Posted by welisson_br at 2019-11-12 21:08 One question I've been wondering about that situation, Is there some limitation on that switch model ...
Yes, igmp limit function could restrict the number of multicast groups allowed in the system and on an interface.
please refer this https://support.huawei.com/hedex/hdx.do?docid=EDOC1100037168&id=dc_cfg_igmp_1019&lang=en

BTW, this is a temporary solution, I think, it's better to split part of the users to other devices.
View more
  • x
  • convention:
welisson_br
welisson_br Created Dec 19, 2019 14:38:32 Helpful(0) Helpful(0)

Hi chenhui,

I understood that this igmp limit is just to prevent how many channels I would have provided to my customer, thinking of this paremet, it just has some effect when you wouldn't like to provide many igmp groups, for instance in one situation where you are providing many channels(it means more than 100 channels) all of them, under multicast traffic, should I use this limitation respecting how many groups I will have?
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.