[c-nsp] NPE G1, CEF and ACLs and high CPU
Mateusz Błaszczyk
blahu77 at gmail.com
Mon Sep 8 16:10:58 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rodney,
>> 1) process switching which means invoking ip_input for every packet
>
> That is if you have CEF disabled. Let's forget the "ip fastswitching"
> discussion because after 12.4(20)T it's gone. It's process or CEF only.
That was a recall. It wasn't my intention to go to deep into this.
> That means you have a lot of interrupt traffic transit the box and some
> is getting punted to process level after a lookup in the rx CEF routines
> or either further down the CEF switching vector due to a feature punt.
[...]
All right, My understanding of CEF mechanism was corrent.
And you are saying the best way to actually check what these packets
are is to push 12.4(20)T on to the box and start sniffing?
>> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with
>> ACL like above?
>
> Depends on the exact ACL and other features configured.
Or by looking at the ACL you are able to pin point the "bad" acl statements?
The acl (extended) looks like this (from memory-dump)
! deny rogue IPs (it is interesting how many catches are here)
deny ip 10.0.0.0 .... any
deny ip 192... any
deny ip host 0.0.0.0 any
etc....
! deny spoofing us...
deny ip any
deny ip any
! pings and traceroute
permit icmp any any
permit udp any any range 32xxx 34xxx
! transit providers
permit tcp host host eg bgp
permit tcp host eq bgp host
! Internet eXchanges - bgp/msdp
permit tcp host eg bgp
permit tcp eq bgp host
deny ip any
deny ip any
! some legacy stuff
permit ip any host
! deny access to infrastructure
deny ip any
...
deny ip any
permit ip any any
also (maybe worth noting) we got CAR for icmp packets enabled on the
port on (input).
> Probably normal. I'd suggest looking at the new ASR1000 that can do
> ACL's in hardware.
any significant advantage over entry-level 6500/7600?
- --
- -mat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIxYbSIvBv0k5esR4RAgksAJ0XKkxBNTLzTQ0/MbG/pBYU5YdkFQCgpU4j
5aVcJsL7GI0+aWXUoXKAPlk=
=Bmcv
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list