CPU Allocation for Logical Systems
The CPU allocation for logical systems assign the reserved CPU resources to a logical system used to calculate the amount of CPU usage based on the runtime utilization. For more information, see the following topics:
Understanding CPU Allocation and Control
When device CPU utilization is low, logical systems can acquire and use CPU resources above their allocated reserve quotas as long as the system-wide utilization remains within a stable range. CPU utilization on a device should never reach 100 percent because a device running at 100 percent CPU utilization might be slow to respond to management or system events or be unable to handle traffic bursts.
CPU resources are used on a first-come first-served basis. Without controls, logical systems can compete for CPU resources and drive CPU utilization up to 100 percent. You cannot rely on the configuration of static resources, such as security policies and zones, to directly control CPU usage because a logical system with small numbers of static resources allocated could still consume a large amount of CPU. Instead, the primary administrator can enable CPU resource control and configure CPU utilization parameters for logical systems.
Only the primary administrator can enable CPU control
and configure CPU utilization parameters. User logical system administrators
can use the show system security-profile cpu command to
view CPU utilization for their logical systems.
This topic includes the following sections:
- CPU Control
- Reserved CPU Utilization Quota for Logical Systems
- CPU Control Target
- Shared CPU Resources and CPU Quotas
- Monitoring CPU Utilization
CPU Control
The primary administrator enables CPU control with the cpu-control configuration statement at the [edit system security-profile resources] hierarchy
level.
The resources security profile is a special security
profile that contains global settings that apply to all logical systems
in the device. Other security profiles configured by the primary administrator
are bound to specific logical systems.
When CPU control is enabled, the primary administrator can then configure the following CPU utilization parameters:
A reserved CPU quota is the percentage of CPU utilization that is guaranteed for a logical system.
The CPU control target is the upper limit, in percent, for system-wide CPU utilization on the device under normal operating conditions.
Reserved CPU Utilization Quota for Logical Systems
A configured reserved CPU quota guarantees that a specified percentage of CPU is always available to a logical system. During runtime, CPU utilization by each logical system is measured every two seconds. The reserved CPU quota is used to calculate the amount of CPU each logical system can use based on the runtime utilization.
The primary administrator specifies the reserved CPU quota in
a logical system security profile with the cpu reserved configuration statement at the [edit system security-profile profile-name] hierarchy level. The security
profile is bound to one or more logical systems. Unlike other resources
that are allocated to a logical system in a security profile, no maximum
allowed quota can be configured for CPU utilization.
The Junos OS software checks to ensure that the sum of reserved CPU quotas for all logical systems on the device is less than 90 percent of the CPU control target value. If CPU control is enabled and reserved CPU quotas are not configured, the default reserved CPU quota for the primary logical system is 1 percent and the default reserved CPU quota for user logical systems is 0 percent. The primary administrator can configure reserved CPU quotas even if CPU control is not enabled. The primary administrator can enable or disable CPU control without changing security profiles.
The primary logical system must not be bound to a security profile that is configured with a 0 percent reserved CPU quota because traffic loss could occur.
CPU Control Target
CPU control target is the upper limit, in percent, for CPU utilization on the device under normal operating conditions. If CPU utilization on the device surpasses the configured target value, the Junos OS software initiates controls to bring CPU utilization between the target value and 90 percent of the target value. For example, if the CPU control target value is 80 and CPU utilization on the device surpasses 80 percent, then controls are initiated to bring CPU utilization within the range of 72 (90 percent of 80) and 80 percent.
During runtime, CPU utilization by each logical system is measured every two seconds. Dropping packets reduces the CPU usage for a logical system. If the CPU usage of a logical system exceeds its quota, CPU utilization control drops the packets received on that logical system. The packet drop rate is calculated every two seconds based on CPU utilization of all logical systems.
The primary administrator configures the CPU control target
with the cpu-control-target configuration statement at
the [edit system security-profile resources] hierarchy
level. A stable level of CPU utilization should be relatively close
to 100 percent but allow for bursts in CPU utilization. The primary
administrator should configure the CPU control target level based
on an understanding of the usage pattern of the logical system’s
deployment on the device.
CPU control must be enabled for the Junos OS software to control CPU usage. If the primary administrator enables CPU control without specifying a CPU control target value, the default CPU control target is 80 percent.
Shared CPU Resources and CPU Quotas
The sum of the reserved CPU quotas for all logical systems on the device must be less than 90 percent of the CPU control target; the difference is called the shared CPU resource. The shared CPU resource is dynamically allocated among the logical systems that need additional CPU. This means that a logical system can use more CPU than its reserved CPU quota.
The CPU quota for a logical system is the sum of its reserved CPU quota and its portion of the shared CPU resource. If multiple logical systems need more CPU resources, they split the shared CPU resource based on the relative weights of their reserved CPU quotas. Logical systems with larger reserved CPU quotas receive larger portions of the shared CPU resource. The goal for CPU control is to keep the actual CPU utilization of a logical system at its CPU quota. If a logical system’s CPU needs are greater than its CPU quota, packets are dropped for that logical system.
The following scenarios illustrate CPU control for logical systems. In each scenario, the CPU control target value is 80, which means that CPU controls will keep the maximum system-wide CPU utilization between 72 and 80 percent. The reserved CPU quotas for the logical systems are configured as follows: primary and lsys1 logical systems are 10 percent each and the lsys2 logical system is 5 percent.
CPU Utilization Scenario 1
In this scenario, each of the three logical systems needs 40 percent of CPU. Table 1 shows the CPU quotas for each logical system. Because the CPU needed by each logical system is greater than its CPU quota, packets are dropped for each logical system.
Logical System |
Needed CPU |
CPU Quotas |
Packets Dropped? |
|---|---|---|---|
primary |
40% |
28.8% |
Yes |
lsys1 |
40% |
28.8% |
Yes |
lsys2 |
40% |
14.4% |
Yes |
CPU Utilization Scenario 2
In this scenario, the primary logical system needs 25 percent of CPU while the two user logical systems need 40 percent. Table 2 shows the CPU quota for the primary logical system is equal to the CPU it needs, so no packets are dropped for the primary logical system and CPU control monitors the CPU utilization of the primary logical system. Packets are dropped for lsys1 and lsys2.
Logical System |
Needed CPU |
CPU Quotas |
Packets Dropped? |
|---|---|---|---|
primary |
25% |
25% |
No |
lsys1 |
40% |
31.3% |
Yes |
lsys2 |
40% |
15.6% |
Yes |
CPU Utilization Scenario 3
In this scenario, the primary and lsys2 logical systems need 5 percent and 3 percent of CPU, respectively, while lsys1 needs 40 percent. Table 3 shows system-wide CPU utilization is 48 percent, which is less than 72 percent (90 percent of the CPU control target), so no packets are dropped and CPU control monitors all logical systems.
Logical System |
Needed CPU |
CPU Quota |
Packets Dropped? |
|---|---|---|---|
primary |
5% |
5% |
No |
lsys1 |
40% |
40% |
No |
lsys2 |
3% |
3% |
No |
Monitoring CPU Utilization
CPU utilization can be monitored by either the primary administrator or the user logical system administrators. The primary administrator can monitor CPU utilization for the primary logical system, a specified user logical system, or all logical systems. User logical system administrators can only monitor CPU utilization for their logical system.
The show system security-profile cpu command shows
the usage and drop rate in addition to the reserved CPU quota configured
for the logical system. During runtime, CPU utilization by each logical
system is measured every two seconds. The usage and drop rates displayed
are the values at the interval prior to when the show command
is run. If the detail option is not specified, the utilization
of the central point (CP) and the average utilization of all services
processing units (SPUs) is shown. The detail option displays
the CPU utilization on each SPU.
The CPU utilization log file lsys-cpu-utilization-log contains utilization data for all logical systems on the device.
Only the primary administrator can view the log file with the show log lsys-cpu-utilization-log command.
See Also
Example: Configuring CPU Utilization (Primary Administrators Only)
The primary administrator can enable CPU control and configure CPU utilization parameters. This example shows how to enable CPU utilization control and configure CPU utilization quotas and a control target.
Requirements
Before you begin:
Log in to the primary logical system as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.
Bind security profiles to the primary logical system and user logical systems configured on the device. See Example: Configuring Logical Systems Security Profiles (Primary Administrators Only).
Overview
In this example, you enable CPU control and set the CPU control target to be 85 percent. You allocate reserved CPU quotas to the logical systems shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. The logical systems are bound to the security profiles shown in Table 4 and are assigned the reserved CPU quotas in the security profiles.
Logical System |
Security Profile |
Reserved CPU Quotas |
|---|---|---|
root-logical-system (primary) |
primary-profile |
2 percent |
ls-product-design |
ls-design-profile |
2 percent |
ls-marketing-dept, ls-accounting-dept |
ls-accnt-mrkt-profile |
1 percent |
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile resources cpu-control set system security-profile resources cpu-control-target 85 set system security-profile master-profile cpu reserved 2 set system security-profile ls-design-profile cpu reserved 2 set system security-profile ls-accnt-mrkt-profile cpu reserved 1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure CPU utilization control parameters:
Log in to the primary logical system as the primary administrator and enter configuration mode.
[edit] admin@host> configure admin@host#
Enable CPU control.
[edit system security-profile resources] admin@host# set cpu-control
Configure the CPU control target.
[edit system security-profile resources] admin@host# set cpu-control-target 85
Configure the reserved CPU quotas in the security profiles.
[edit system] admin@host# set security-profile security-profile master-profile cpu reserved 2 admin@host# set security-profile security-profile ls-design-profile cpu reserved 2 admin@host# set security-profile security-profile ls-accnt-mrkt-profile cpu reserved 1
Results
From configuration mode, confirm your configuration
by entering the show system security-profile command. If
the output does not display the intended configuration, repeat the
\ instructions in this example to correct the configuration.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
admin@host# show system security-profile
resources {
cpu-control;
cpu-control-target 85;
}
ls-accnt-mrkt-profile {
...
cpu {
reserved 1;
}
logical-system [ ls-marketing-dept ls-accounting-dept ];
}
ls-design-profile {
...
cpu {
reserved 2;
}
logical-system ls-product-design;
}
master-profile {
...
cpu {
reserved 2;
}
logical-system root-logical-system;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying CPU Utilization
Purpose
Display the configured reserved CPU quota, the actual CPU usage, and the drop rate.
Action
From operational mode, enter the show system security-profile
cpu logical-system all command.
admin@host> show system security-profile cpu logical-system all CPU control: TRUE CPU control target: 85.00% logical system name profile name CPU name usage(%) reserved(%) drop rate(%) root-logical-system master-profile CP 0.10% 2.00% 0.00% root-logical-system master-Profile SPU 0.25% 2.00% 0.00% ls-product-design ls-design-profile CP 0.53% 2.00% 0.00% ls-product-design ls-design-profile SPU 0.26% 2.00% 0.00% ls-marketing-dept ls-acct-mrkt-profile CP 0.10% 1.00% 0.00% ls-marketing-dept ls-acct-mrkt-profile SPU 0.15% 1.00% 0.00% ls-accounting-dept ls-acct-mrkt-profile CP 0.23% 1.00% 0.00% ls-accounting-dept ls-acct-mrkt-profile SPU 0.34% 1.00% 0.00%