[c-nsp] High interrupt CPU load on Cat3750, caused by ACL?

Johannes Resch jr at xor.at
Mon Mar 27 08:43:11 EST 2006 

hi there,

I've got a stack of 2x C3750G-24T running c3750-ipservicesk9-mz.122-25.SEE
giving me some trouble.

the device uses OSPF and BGP (~3k routes total) and has about 35 routed
SVIs (some of them with rate limiting).
all routed traffic is below 50 mbit/sec, plus about 70mbit of switched
traffic, less than 15kpps total. no QoS, PBR, L2-ACLs or other fancy
features.

however, "show proc cpu" shows a high level of interrupt CPU load:

CPU utilization for five seconds: 78%/72%; one minute: 79%; five minutes: 77%

thinking of possible reasons I first looked into ACLs.
"sh access-lists hardware counters" shows that the "L3 ACL INPUT
Statistics" "forwarded to CPU" counter increases about 300-500 packets per
second. is this already enough to cause 70% interrupt CPU traffic?

there are 3 ACLs set on SVIs (all set on outgoing traffic).
as far as I can interprete the output of "sh platform acl label" (see
below), the ACLs should have been loaded into TCAM - please correct me if
I'm wrong.

all 3 ACLs use the "established" keyword for filtering TCP connections,
could this be the reason?

also, I'm wondering why "L3 ACL INPUT statistics" shows cpu forwarded
packets, while the ACLs are only set for outgoing traffic..


IPv4/MAC ACL label
------------------

Input Op Select Index 255:
Output Op Select Index 0:
Input Features:
  Interfaces or VLANs:
  Priority: low
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 0 VMRs.
  Multicast Boundary: (none), 0 VMRs.
Output Features:
  Interfaces or VLANs:  Vl701
  Priority: normal
  Bridge Group Member: no
  Vlan Map: (none), 0 VMRs.
  Access Group: 114, 116 VMRs

IPv4/MAC ACL label
------------------

Input Op Select Index 255:
Output Op Select Index 0:
Input Features:
  Interfaces or VLANs:
  Priority: low
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 0 VMRs.
  Multicast Boundary: (none), 0 VMRs.
Output Features:
  Interfaces or VLANs:  Vl703
  Priority: normal
  Bridge Group Member: no
  Vlan Map: (none), 0 VMRs.
  Access Group: 115, 26 VMRs.



IPv4/MAC ACL label
------------------

Input Op Select Index 255:
Output Op Select Index 0:
Input Features:
  Interfaces or VLANs:
  Priority: low
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 0 VMRs.
  Multicast Boundary: (none), 0 VMRs.
Output Features:
  Interfaces or VLANs:  Vl704
  Priority: normal
  Bridge Group Member: no
  Vlan Map: (none), 0 VMRs.
  Access Group: 113, 39 VMRs.


any feedback is appreciated,

best regards,
-jr

More information about the cisco-nsp mailing list