[c-nsp] 3750 high cpu from icmp
Adrian Chadd
adrian at creative.net.au
Mon May 7 23:51:48 EDT 2007
Yes, some OSes ignore redirects by default and the Cisco keeps on CPU punting
traffic and sending 'em.
One thing I noticed with the Catalyst 4500 is that the ACLs don't get
"fully loaded" into TCAM if all SVI's (I didn't have l3 interfaces) have
the no ip redir; no ip unreach configured. The rules get loaded, but the
last rule is "punt to CPU" and thus its not "fully loaded" according to
the sh platform commands.
The engineer said (the development engineer said to them that) the last
rule had to be "punt to CPU" for any traffic that didn't match any rules,
so it could be processed by the CPU in case ICMP replies were needed.
I couldn't see what kind of traffic would fall through - except maybe
in the cases where you weren't running a default route? - but
better safe than sorry.
Adrian
More information about the cisco-nsp
mailing list