Related Documentation
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding CPU Allocation and Control
When device CPU utilization is low, logical systems can acquire and use CPU resources above their allocated reserve quotas as long as the system-wide utilization remains within a stable range. CPU utilization on a device should never reach 100 percent because a device running at 100 percent CPU utilization might be slow to respond to management or system events or be unable to handle traffic bursts.
CPU resources are used on a first-come first-served basis. Without controls, logical systems can compete for CPU resources and drive CPU utilization up to 100 percent. You cannot rely on the configuration of static resources, such as security policies and zones, to directly control CPU usage because a logical system with small numbers of static resources allocated could still consume a large amount of CPU. Instead, the master administrator can enable CPU resource control and configure CPU utilization parameters for logical systems.
 | Note: Only the master administrator can enable CPU control and configure CPU utilization parameters. User logical system administrators can use the show system security-profile cpu command to view CPU utilization for their logical systems. |
This topic includes the following sections:
CPU Control
The master administrator enables CPU control with the cpu-control configuration statement at the [edit system security-profile resources] hierarchy level.
| Note: The resources security profile is a special security profile that contains global settings that apply to all logical systems in the device. Other security profiles configured by the master administrator are bound to specific logical systems. |
When CPU control is enabled, the master administrator can then configure the following CPU utilization parameters:
- A reserved CPU quota is the percentage of CPU utilization that is guaranteed for a logical system.
- The CPU control target is the upper limit, in percent, for system-wide CPU utilization on the device under normal operating conditions.
Reserved CPU Utilization Quota for Logical Systems
A configured reserved CPU quota guarantees that a specified percentage of CPU is always available to a logical system. During runtime, CPU utilization by each logical system is measured every two seconds. The reserved CPU quota is used to calculate the amount of CPU each logical system can use based on the runtime utilization.
The master administrator specifies the reserved CPU quota in a logical system security profile with the cpu reserved configuration statement at the [edit system security-profile profile-name] hierarchy level. The security profile is bound to one or more logical systems. Unlike other resources that are allocated to a logical system in a security profile, no maximum allowed quota can be configured for CPU utilization.
The Junos OS software checks to ensure that the sum of reserved CPU quotas for all logical systems on the device is less than 90 percent of the CPU control target value. If CPU control is enabled and reserved CPU quotas are not configured, the default reserved CPU quota for the master logical system is 1 percent and the default reserved CPU quota for user logical systems is 0 percent. The master administrator can configure reserved CPU quotas even if CPU control is not enabled. The master administrator can enable or disable CPU control without changing security profiles.
 | Caution: The master logical system must not be bound to a security profile that is configured with a 0 percent reserved CPU quota because traffic loss could occur. |
CPU Control Target
CPU control target is the upper limit, in percent, for CPU utilization on the device under normal operating conditions. If CPU utilization on the device surpasses the configured target value, the Junos OS software initiates controls to bring CPU utilization between the target value and 90 percent of the target value. For example, if the CPU control target value is 80 and CPU utilization on the device surpasses 80 percent, then controls are initiated to bring CPU utilization within the range of 72 (90 percent of 80) and 80 percent.
During runtime, CPU utilization by each logical system is measured every two seconds. Dropping packets reduces the CPU usage for a logical system. If the CPU usage of a logical system exceeds its quota, CPU utilization control drops the packets received on that logical system. The packet drop rate is calculated every two seconds based on CPU utilization of all logical systems.
The master administrator configures the CPU control target with the cpu-control-target configuration statement at the [edit system security-profile resources] hierarchy level. A stable level of CPU utilization should be relatively close to 100 percent but allow for bursts in CPU utilization. The master administrator should configure the CPU control target level based on an understanding of the usage pattern of the logical system’s deployment on the device.
CPU control must be enabled for the Junos OS software to control CPU usage. If the master administrator enables CPU control without specifying a CPU control target value, the default CPU control target is 80 percent.
Shared CPU Resources and CPU Quotas
The sum of the reserved CPU quotas for all logical systems on the device must be less than 90 percent of the CPU control target; the difference is called the shared CPU resource. The shared CPU resource is dynamically allocated among the logical systems that need additional CPU. This means that a logical system can use more CPU than its reserved CPU quota.
The CPU quota for a logical system is the sum of its reserved CPU quota and its portion of the shared CPU resource. If multiple logical systems need more CPU resources, they split the shared CPU resource based on the relative weights of their reserved CPU quotas. Logical systems with larger reserved CPU quotas receive larger portions of the shared CPU resource. The goal for CPU control is to keep the actual CPU utilization of a logical system at its CPU quota. If a logical system’s CPU needs are greater than its CPU quota, packets are dropped for that logical system.
The following scenarios illustrate CPU control for logical systems. In each scenario, the CPU control target value is 80, which means that CPU controls will keep the maximum system-wide CPU utilization between 72 and 80 percent. The reserved CPU quotas for the logical systems are configured as follows: master and lsys1 logical systems are 10 percent each and the lsys2 logical system is 5 percent.
CPU Utilization Scenario 1
In this scenario, each of the three logical systems needs 40 percent of CPU. Table 1 shows the CPU quotas for each logical system. Because the CPU needed by each logical system is greater than its CPU quota, packets are dropped for each logical system.
Table 1: CPU Utilization Scenario 1
Logical System | Needed CPU | CPU Quotas | Packets Dropped? |
|---|---|---|---|
master | 40% | 28.8% | Yes |
lsys1 | 40% | 28.8% | Yes |
lsys2 | 40% | 14.4% | Yes |
CPU Utilization Scenario 2
In this scenario, the master logical system needs 25 percent of CPU while the two user logical systems need 40 percent. Table 2 shows the CPU quota for the master logical system is equal to the CPU it needs, so no packets are dropped for the master logical system and CPU control monitors the CPU utilization of the master logical system. Packets are dropped for lsys1 and lsys2.
Table 2: CPU Utilization Scenario 2
Logical System | Needed CPU | CPU Quotas | Packets Dropped? |
|---|---|---|---|
master | 25% | 25% | No |
lsys1 | 40% | 31.3% | Yes |
lsys2 | 40% | 15.6% | Yes |
CPU Utilization Scenario 3
In this scenario, the master and lsys2 logical systems need 5 percent and 3 percent of CPU, respectively, while lsys1 needs 40 percent. Table 3 shows system-wide CPU utilization is 48 percent, which is less than 72 percent (90 percent of the CPU control target), so no packets are dropped and CPU control monitors all logical systems.
Table 3: CPU Utilization Scenario 3
Logical System | Needed CPU | CPU Quota | Packets Dropped? |
|---|---|---|---|
master | 5% | 5% | No |
lsys1 | 40% | 40% | No |
lsys2 | 3% | 3% | No |
Monitoring CPU Utilization
CPU utilization can be monitored by either the master administrator or the user logical system administrators. The master administrator can monitor CPU utilization for the master logical system, a specified user logical system, or all logical systems. User logical system administrators can only monitor CPU utilization for their logical system.
The show system security-profile cpu command shows the usage and drop rate in addition to the reserved CPU quota configured for the logical system. During runtime, CPU utilization by each logical system is measured every two seconds. The usage and drop rates displayed are the values at the interval prior to when the show command is run. If the detail option is not specified, the utilization of the central point (CP) and the average utilization of all services processing units (SPUs) is shown. The detail option displays the CPU utilization on each SPU.
The CPU utilization log file lsys-cpu-utilization-log contains utilization data for all logical systems on the device. Only the master administrator can view the log file with the show log lsys-cpu-utilization-log command.
Related Documentation
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
