[c-nsp] Cisco 3750 High CPU load due to ACL

[Patrick Coppinger]

Are you running 12.1? If so try 12.2 instead. I saw the same behavior when running ACLs on 12.1 EMI code in our test lab. Upgrading to 12.2 corrected the high CPU issues using same ACL configuration.

Patrick Coppinger
CCIE #14298

-----Original Message-----
From: Matt Gillies <mgillies at cisco.com>
Sent: Feb 8, 2005 6:55 PM
To: Clinton Work <clinton at scripty.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 3750 High CPU load due to ACL

In order to determine whether an ACL is being programmed into the TCAM 
correctly, you can check the output of the following:

For VLAN's,  you can check the output of:

show plat acl int gx/x/x


and then specify the input label as value xxx in:

show plat acl label xxx


to determine whether the ACL got programmed correctly into the TCAM for 
routed/vlan ports. If the ACL didn't get programmed correctly, it will 
display
 "Unloaded due to merge failure or lack of space"

If you are using port-based ACL's, I *think* you need to use the command 
'show platform acl int gx/x/x portlabels'. It should display 'forwarded 
by CPU' if I recall correctly.

Cheers,

Matt.





Clinton Work wrote:

>Are you looking at "show controllers cpu" to check packets being forwarded
>by the CPU? I have seen this problem several times when the ACLs exceed
>the 3550 TCAM limits. The "show tcam inacl <tcam> stat" command isn't useful
>in this case because if the ACL doesn't fit in the TCAM then the utilization
>of the TCAM could still be really low.
>
>
>
>Roger Wiklund wrote:
>  
>
>>Hi, 
>>
>>I have an extended access-list without loggin. But I get 10k deny matches 
>>per 
>>second and the CPU-load goes up to 80%. But when i check show access-list 
>>harware counters there are nothing forwarded to the CPU.
>>
>>    
>>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/