[c-nsp] Cisco 3750 High CPU load due to ACL

Matt Gillies mgillies at cisco.com
Wed Feb 9 00:17:38 EST 2005 

This is true if you were running the older 12.1E releases, that used the 
BDD algorithm to do the TCAM merges. In releases later 12.1 releases ( I 
think past 12.1(9)EA1 ) we switched to ODM ( Order Dependent Merge ) 
which allows better TCAM utilization.

Again, the best way to verify whether an ACL made it into the TCAM is by 
using the commands below.

Cheers,

Matt.

Patrick Coppinger wrote:

>Are you running 12.1? If so try 12.2 instead. I saw the same behavior when running ACLs on 12.1 EMI code in our test lab. Upgrading to 12.2 corrected the high CPU issues using same ACL configuration.
>
>Patrick Coppinger
>CCIE #14298
>
>-----Original Message-----
>From: Matt Gillies <mgillies at cisco.com>
>Sent: Feb 8, 2005 6:55 PM
>To: Clinton Work <clinton at scripty.com>
>Cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Cisco 3750 High CPU load due to ACL
>
>In order to determine whether an ACL is being programmed into the TCAM 
>correctly, you can check the output of the following:
>
>For VLAN's,  you can check the output of:
>
>show plat acl int gx/x/x
>
>
>and then specify the input label as value xxx in:
>
>show plat acl label xxx
>
>
>to determine whether the ACL got programmed correctly into the TCAM for 
>routed/vlan ports. If the ACL didn't get programmed correctly, it will 
>display
> "Unloaded due to merge failure or lack of space"
>
>If you are using port-based ACL's, I *think* you need to use the command 
>'show platform acl int gx/x/x portlabels'. It should display 'forwarded 
>by CPU' if I recall correctly.
>
>Cheers,
>
>Matt.
>
>
>
>
>
>Clinton Work wrote:
>
>  
>
>>Are you looking at "show controllers cpu" to check packets being forwarded
>>by the CPU? I have seen this problem several times when the ACLs exceed
>>the 3550 TCAM limits. The "show tcam inacl <tcam> stat" command isn't useful
>>in this case because if the ACL doesn't fit in the TCAM then the utilization
>>of the TCAM could still be really low.
>>
>>
>>
>>Roger Wiklund wrote:
>> 
>>
>>    
>>
>>>Hi, 
>>>
>>>I have an extended access-list without loggin. But I get 10k deny matches 
>>>per 
>>>second and the CPU-load goes up to 80%. But when i check show access-list 
>>>harware counters there are nothing forwarded to the CPU.
>>>
>>>   
>>>
>>>      
>>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>  
>

More information about the cisco-nsp mailing list