[c-nsp] NPE G1, CEF and ACLs and high CPU

Rodney Dunn rodunn at cisco.com
Fri Sep 5 14:42:03 EDT 2008


On Fri, Sep 05, 2008 at 04:36:08PM +0200, Nic Tjirkalli wrote:
> howdy ho,
> 
> >But make sure you do:
> >
> >config t
> >int null 0
> >no ip unreachables
> >
> >The ACL drops are, last I checked, rate limit punts.
> this is interesting - there is a good article detailing cef and CPU
> punting at :-
> http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html
> 
> 
> 
> Reading that and this posting begs the question 
> - if there is a lrage amount of ACL drops and these packets are punted to
> cPU and the CPU rate-limit for punted packets has been exceeded, then
> possible packets that need to be CPU processed will be dropped in favour
> of ACL denied packets

That's not true. The packets are dropped under interrupt that match
the ACL deny other than punting some to generate the unreachable.
You will always deny them.

 - this seems a bit ridiculous.
> 
> Any way to get acl dropped packets not to be CPU punted or to use
> control-plane policing to discard them before they hit the CPU?
> 
> thanx
> 
> 
> >
> >If it's high CPU at IP Input really need 12.4(20)T and get
> >a sniffer trace in the punt path to see what traffic it really is.
> >
> >Rodney
> >
> >On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote:
> >>On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote:
> >>>2008/9/4 Stephen Kratzer :
> >>>>The 'log' keyword will cause matching packets to not be CEF switched.
> >>>
> >>>nope, log is not present.
> >>>
> >>>>Also, if
> >>>>you're denying a lot of traffic from a certain source, you might want to
> >>>>just bit-bucket it rather than sending ICMP responses.
> >>>
> >>>you mean - "no ip unreachables"?
> >>
> >>You could match the access list in a route map and set the outbound 
> >>interface
> >>to Null0.
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ---------------------------------------------------------------------
> It's hard to be nostalgic when you can't remember anything good.
> 
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
> 
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
> is strictly confidential and intended only for use by the addressee unless
> otherwise indicated.
> 
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
> 
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.


More information about the cisco-nsp mailing list