[c-nsp] NPE G1, CEF and ACLs and high CPU
Mateusz Błaszczyk
blahu77 at gmail.com
Mon Sep 8 16:15:31 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
REPOST again as firegpg removed some important bits from acl..
Rodney,
>> 1) process switching which means invoking ip_input for every packet
>
> That is if you have CEF disabled. Let's forget the "ip fastswitching"
> discussion because after 12.4(20)T it's gone. It's process or CEF only.
That was a recall. It wasn't my intention to go to deep into this.
> That means you have a lot of interrupt traffic transit the box and some
> is getting punted to process level after a lookup in the rx CEF routines
> or either further down the CEF switching vector due to a feature punt.
[...]
All right, My understanding of CEF mechanism was corrent.
And you are saying the best way to actually check what these packets
are is to push 12.4(20)T on to the box and start sniffing?
>> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with
>> ACL like above?
>
> Depends on the exact ACL and other features configured.
Or by looking at the ACL you are able to pin point the "bad" acl statements?
The acl (extended) looks like this (from memory-dump)
! deny rogue IPs (it is interesting how many catches are here)
deny ip 10.0.0.0 .... any
deny ip 192... any
deny ip host 0.0.0.0 any
etc....
! deny spoofing us...
deny ip OURBLOCK1 any
deny ip OURBLOCK2 any
! pings and traceroute
permit icmp any any
permit udp any any range 32xxx 34xxx
! transit providers
permit tcp host THEM1 host US1 eg bgp
permit tcp host THEM1 eq bgp host US1
! Internet eXchanges - bgp/msdp
permit tcp THEM2 WCARD2 host US2 eg bgp
permit tcp THEM2 WCARD2 eq bgp host US2
deny ip any US1
deny ip any US2
! some legacy stuff
permit ip any host XXX
! deny access to infrastructure
deny ip any NETWORK_1
...
deny ip any NETWORK_N
permit ip any any
also (maybe worth noting) we got CAR for icmp packets enabled on the
port on (input).
> Probably normal. I'd suggest looking at the new ASR1000 that can do
> ACL's in hardware.
any significant advantage over entry-level 6500/7600?
- --
- -mat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIxYfiIvBv0k5esR4RAhZOAKDNjB8soD4o7+JXpEeq4w8/y5Z9AACfXwO4
aykwTNGqUnKd8w/Ag3GBTug=
=97La
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list