[c-nsp] Cisco 3750 High CPU load due to ACL
Matt Gillies
mgillies at cisco.com
Tue Feb 8 18:55:53 EST 2005
In order to determine whether an ACL is being programmed into the TCAM
correctly, you can check the output of the following:
For VLAN's, you can check the output of:
show plat acl int gx/x/x
and then specify the input label as value xxx in:
show plat acl label xxx
to determine whether the ACL got programmed correctly into the TCAM for
routed/vlan ports. If the ACL didn't get programmed correctly, it will
display
"Unloaded due to merge failure or lack of space"
If you are using port-based ACL's, I *think* you need to use the command
'show platform acl int gx/x/x portlabels'. It should display 'forwarded
by CPU' if I recall correctly.
Cheers,
Matt.
Clinton Work wrote:
>Are you looking at "show controllers cpu" to check packets being forwarded
>by the CPU? I have seen this problem several times when the ACLs exceed
>the 3550 TCAM limits. The "show tcam inacl <tcam> stat" command isn't useful
>in this case because if the ACL doesn't fit in the TCAM then the utilization
>of the TCAM could still be really low.
>
>
>
>Roger Wiklund wrote:
>
>
>>Hi,
>>
>>I have an extended access-list without loggin. But I get 10k deny matches
>>per
>>second and the CPU-load goes up to 80%. But when i check show access-list
>>harware counters there are nothing forwarded to the CPU.
>>
>>
>>
More information about the cisco-nsp
mailing list