[c-nsp] High interrupt CPU load on Cat3750, caused by ACL?

Tassos Chatzithomaoglou achatz at forthnet.gr
Mon Mar 27 09:56:08 EST 2006 

I don't know much about the acls, but all these 3750 switches have a limitation 
on the number of routed interfaces; 8 if i'm right.

Also on 3550s you could use the following in order to find out more info about 
the tcam resource usage:

3550#sh tcam ?
   inacl   Show Ingress ACL TCAM
   outacl  Show Egress ACL TCAM
   pbr     Show PBR TCAM
   qos     Show Ingress QoS TCAM

There is something similar on 3750s, "sh platform tcam", but CCO doesn't want to 
give more information about it :(

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_command_reference_chapter09186a00805a743f.html

"You should use this command only when you are working directly with your 
technical support representative while troubleshooting a problem. Do not use 
this command unless your technical support representative asks you to do so."

Tassos

Johannes Resch wrote on 27/3/2006 16:43:

> hi there,
> 
> I've got a stack of 2x C3750G-24T running c3750-ipservicesk9-mz.122-25.SEE
> giving me some trouble.
> 
> the device uses OSPF and BGP (~3k routes total) and has about 35 routed
> SVIs (some of them with rate limiting).
> all routed traffic is below 50 mbit/sec, plus about 70mbit of switched
> traffic, less than 15kpps total. no QoS, PBR, L2-ACLs or other fancy
> features.
> 
> however, "show proc cpu" shows a high level of interrupt CPU load:
> 
> CPU utilization for five seconds: 78%/72%; one minute: 79%; five minutes: 77%
> 
> thinking of possible reasons I first looked into ACLs.
> "sh access-lists hardware counters" shows that the "L3 ACL INPUT
> Statistics" "forwarded to CPU" counter increases about 300-500 packets per
> second. is this already enough to cause 70% interrupt CPU traffic?
> 
> there are 3 ACLs set on SVIs (all set on outgoing traffic).
> as far as I can interprete the output of "sh platform acl label" (see
> below), the ACLs should have been loaded into TCAM - please correct me if
> I'm wrong.
> 
> all 3 ACLs use the "established" keyword for filtering TCP connections,
> could this be the reason?
> 
> also, I'm wondering why "L3 ACL INPUT statistics" shows cpu forwarded
> packets, while the ACLs are only set for outgoing traffic..
> 
> 
> IPv4/MAC ACL label
> ------------------
> 
> Input Op Select Index 255:
> Output Op Select Index 0:
> Input Features:
>   Interfaces or VLANs:
>   Priority: low
>   Vlan Map: (none), 0 VMRs.
>   Access Group: (none), 0 VMRs.
>   Multicast Boundary: (none), 0 VMRs.
> Output Features:
>   Interfaces or VLANs:  Vl701
>   Priority: normal
>   Bridge Group Member: no
>   Vlan Map: (none), 0 VMRs.
>   Access Group: 114, 116 VMRs
> 
> IPv4/MAC ACL label
> ------------------
> 
> Input Op Select Index 255:
> Output Op Select Index 0:
> Input Features:
>   Interfaces or VLANs:
>   Priority: low
>   Vlan Map: (none), 0 VMRs.
>   Access Group: (none), 0 VMRs.
>   Multicast Boundary: (none), 0 VMRs.
> Output Features:
>   Interfaces or VLANs:  Vl703
>   Priority: normal
>   Bridge Group Member: no
>   Vlan Map: (none), 0 VMRs.
>   Access Group: 115, 26 VMRs.
> 
> 
> 
> IPv4/MAC ACL label
> ------------------
> 
> Input Op Select Index 255:
> Output Op Select Index 0:
> Input Features:
>   Interfaces or VLANs:
>   Priority: low
>   Vlan Map: (none), 0 VMRs.
>   Access Group: (none), 0 VMRs.
>   Multicast Boundary: (none), 0 VMRs.
> Output Features:
>   Interfaces or VLANs:  Vl704
>   Priority: normal
>   Bridge Group Member: no
>   Vlan Map: (none), 0 VMRs.
>   Access Group: 113, 39 VMRs.
> 
> 
> any feedback is appreciated,
> 
> best regards,
> -jr
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list