Filter Techniques for High CPU Utilization due to DLSw

Introduction

This document describes how to troubleshoot high CPU utlitization due to Data-Link Switching (DLSw).

Diagnose High CPU Utilization

Complete these steps in order to determine DLSw is the cause of high CPU utilization.

1. Enter the show proc cpu sort command.
   
   

   CISCO-2821-P1#show proc cpu sort
   CPU utilization for five seconds: 98%/16%; one minute: 98%; five minutes: 98%
    PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
    366    40569376    27522064       1474 72.31% 74.57% 74.62%   0 DLSw msg proc
    371     2099016    27845490         75  3.83%  3.93%  3.94%   0 HyBridge Input P
     13      134172        1263     106232  2.15%  0.27%  0.18%   0 Licensing Auto U
    367      779500    27475147         28  1.27%  1.35%  1.35%   0 CLS Background

   
   
   In the previous ouput, the DLSw message process indicates some kind of traffic that is bridged into DLSw and DLSw tries to send it to all of the peers. This can be real Systems Network Architecture (SNA) explorer traffic, SNAP (Sub-Network Access Protocol) frames (SNA is Service Access Point (SAP) encapsulated), DECnet, or possibly NetBIOS. Even if it is not sent to the peers, it is processed by DLSw and takes CPU utilization, because DLSw traffic is process-switched.
   
   The Hybridge input is a clue, because this indicates Ethernet-bridged traffic. Cisco Link Services (CLS) Background is also involved.
   
   
2. Enter the show proc cpu history command in order to determine how long the CPU utilization has been high.
   
   
3. Enter the show dlsw peer ssp-dlx command in order to see the traffic on the peer too.
   
   

   CISCO-2821-P1#show dlsw peer ssp-dlx
   Peer: 192.168.2.1                           received transmitted
       CUR_ex Can U Reach Explorers                   0           3
       DATA Data Frame                                0      205842
       --> DSAP: SNAP (0xAA)                          0      205789
       --> DSAP: Other                                0          53
       CAPX Capabilities Exchange                   102         111
       Total SSP Primatives                         102      205956
   
       DLX Peer Test Request                          0         347
       DLX Peer Test Response                       347           0
       Last SSP Sent:  DATA
   
   Total number of connected peers: 1
   Total number of connections:     1

Bit-Swap the MAC Addresses

The traffic might increment quickly on the MAC addresses learned over the bridge on the Ethernet interface.

Address          Action    Interface        Age   RX count   TX count
90fb.a616.4e77   forward   Gi0/0.1           0       1696       1968
54ee.7505.86b9   forward   Gi0/0.1           0    1448758          0
0200.ae00.0080   forward   DLSw Port0        0     306187     232570
54ee.7505.8705   forward   Gi0/0.1           0    1448766          0
0011.258d.a82d   forward   Gi0/0.1           0     119501     184767
a820.6604.f332   forward   Gi0/0.1           1       1294          0

Notice the addresses in the previous output that have an Rx count and no Tx count. These are the problem addresses.

You can use the Bitswap Tool in order to bit-swap the MAC addresses into Ethernet addresses.

• MAC 0088.a4b1.15b4  in DLSw is Ethernet address 0011.258D.A82D.
  
  
• MAC 09df.6568.72ee in DLSw is Ethernet address 90FB.A616.4E77.
  
  
• MAC 4000.7500.0001 in DLSw is Ethernet address 0200.ae00.0080.

Determine the SNA Endpoints

You need to know which MAC addresses and SAPs comprise the SNA endpoints. If everything is online and works, you can determine this with the show dlsw circuit command:

CISCO-2821-P1#show dlsw cir
Index           local addr(lsap)    remote addr(dsap)  state          uptime
369099416       0088.a4b1.15b4(04)  4000.7500.0001(04) CONNECTED         1d02h
3607102105      09df.6568.72ee(04)  4000.7500.0001(04) CONNECTED      00:57:43
Total number of circuits connected: 2

In the previous output, the local MAC address is the non-canonical (token ring) form of the MAC address. That means it would neeed to be bit-swapped in order to see the MAC address as it appears on the Ethernet. The number in parenthesis (04) is the SAP that is used by this connection. All of the end stations in the previous output use 0x04. So the SAPs that are used are 0 and 4. SAP 0x0 is used for explorers.

Filter on the SAPs

Now, you can filter on the SAPs. You must permit at least 0 and 4. It is a good practice to always permit 0, 4, 8, and C.

For more information, refer to DLSw+ SAP/MAC Filtering Techniques.

Suppose you have a configuration like this:

dlsw local-peer peer-id 192.168.1.1 
dlsw remote-peer 0 tcp 192.168.2.1  
dlsw bridge-group 15

!

interface GigabitEthernet0/0.1
 description **Production LAN Segment**
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.0.0
 bridge-group 15

!

bridge 1 protocol vlan-bridge

You would need to filter first what is sent between the DLSw peers, because this has the largest impact. You can block SAPs AA (SNAP), E0 (Novell NetWare), and F0 (NetBIOS). This configuration is safe to implement.

  conf t
  dlsw icannotreach saps AA E0 F0
  exit
  wr

You could use the permit version of the filter, if you know which SNA SAPs the customer uses and if the list is small. Here is an example:

  conf t
  dlsw icanreach saps 0 4 8 C
  exit
  wr

Filter Unwanted Traffic

You can filter the unwanted traffic at the bridge-group on the Ethernet interface:

  conf t
  access-list 200 permit 0x0000 0x0D0D  

  access-list 201 deny 0x0000 0xFFFF 

  exit
  wr

Note: This example uses access-list 200 in order to  pemit 0, 4, 8, and C with a high-order (command/response) bit.This example uses access-list 201 in order to block SNAP  (Sub-Network Access Protocol)  and other unwanted traffic.

Apply the filters on the Ethernet interface:

  conf t
  interface GigabitEthernet0/0.1
  bridge-group 15 input-lsap-list 200
  bridge-group 15 input-type-list 201
  exit
  wr

Here is an example configuration on the Ethernet:

interface GigabitEthernet0/0.1
 description **Production LAN Segment**
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.0.0
 bridge-group 15
 bridge-group 15 input-lsap-list 200
 bridge-group 15 input-type-list 201

This should be all that is needed in order to stop the high CPU utilization by the DLSw.  

Permit Only MAC Addresses Used for SNA

There is one more step that you can perform in order to permit only the MAC addresses that are used for SNA from being bridged. Ensure that all of the SNA devices are online and work in order to obtain a complete list with this command:

CISCO-2821-P1#show dlsw cir
Index           local addr(lsap)    remote addr(dsap)  state          uptime
369099416       0088.a4b1.15b4(04)  4000.7500.0001(04) CONNECTED         1d02h
3607102105      09df.6568.72ee(04)  4000.7500.0001(04) CONNECTED      00:57:43
Total number of circuits connected: 2

MAC 0088.a4b1.15b4  in DLSw is ethernet address 0011.258D.A82D.
MAC 09df.6568.72ee in DLSw is ethernet address 90FB.A616.4E77.

access-list 701 permit 0011.258D.A82D 0000.0000.0000

access-list 701 permit  0FB.A616.4E77 0000.0000.0000

access-list 701 deny 0000.0000.0000 ffff.ffff.ffff

conf t

interface GigabitEthernet0/0.1
bridge-group 1 input-address-list 701
exit
wr

If you still have high CPU utilization after you complete this procedure, contact the Cisco Technical Assistance Center (TAC) in order to escalate the case.