[nsp] 6500 Native IOS ACLs
David Sinn
dsinn@microsoft.com
Wed, 13 Nov 2002 10:31:42 -0800
Since processing ACL's on the MSFC predicates that the MSFC also route
the packet, there isn't a way to break out one from the other.
Just to check the basics, you don't happen to have any "no ip
route-cache", or "no ip CEF" on the interfaces listed below? That would
mean that the PFC wouldn't get populated with routes for that
interfaces, and could get you where you are.
Baring that you should check your CEF/PFC consistency:
router#sho mls cef sum
IP unicast routes: 3690
router#sho ip cef sum
3692 leaves, 617 nodes, 1277048 bytes, 133502 inserts, 129810
invalidations
I don't have an authoritative answer, but on every 6500 I've checked,
the delta between the two commands is under 10 based on the number of
OSR and MSFC's you have in the chassis (I think the routes are the
"hidden" paths for PFC/MSFC/OSR communications out of the 127.0.0.0
address space). So a large delta there would be bad.
David
-----Original Message-----
From: Clinton Work [mailto:work@scripty.com]
Sent: Wednesday, November 13, 2002 10:06 AM
To: Cisco-NSP
Subject: Re: [nsp] 6500 Native IOS ACLs
None of the ACLs have log statements. As suggested by David, some of the
interfaces are showing lots of route cache switching. Is there any
way to determine what percentage of the MSFC2 CPU interrupt time is
spent
processing ACLs or routing packets?
The router is taking a full BGP feed with 120,000 routes and its
possible
that the PFC2 resources could be exhausted and its punting some packet
procesing to the MSFC2. Is there are way to verify PFC2 overload?
router#show int stat
Interface Vlan1 is disabled
Vlan111
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 4867037 1415878403 4798955 2732640617
Route cache 3668823677 1074330783 117086380 4005823617
Distributed cache 0 0 457424479 1876946560
Total 3673690733 2490226633 579309828 25479049
Vlan112
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 4949929 1421352004 4821062 2724319068
Route cache 1699973459 754377857 1798272847 2095289959
Distributed cache 0 0 1297230468 3020192762
Total 1704923393 2175729969 3100324379 3544834581
GigabitEthernet1/1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 31994066 272721020 6215190 926542294
Route cache 448401771 1027366728 482785841 3035744832
Distributed cache 3980311035 3145911164 969352654 2306832280
Total 165739576 151031616 1458353685 1974152110
GigabitEthernet3/3
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 80926 21850020 0 0
Route cache 0 0 0 0
Distributed cache 4129090186 3297662366 0 0
Total 4129171112 3319512386 0 0
On Wed, Nov 13, 2002 at 05:48:27PM +0000, Marc Williams wrote:
> Worth checking if any of your acls are logging. That burns cpu
bigtime.
>
> --
> marc
>
>
>
>
--
========================================================================
=
Clinton Work clinton@scripty.com
Calgary, Alberta
_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/