[c-nsp] much to much filtered packets punted to CPU on 7604
Jan Sandmaier
sandmaier at schlund.net
Fri Oct 8 06:47:26 EDT 2010
Hi all,
monitoring the control plane traffic on my 7604 with 12.2(33)SRD3
through a SPAN session I see much to much in/outbound filtered traffic
punted to the CPU which I thought to be dropped in hardware. Actually I
see both counters from "sh access-list" and "sh tcam interface.."
increasing at nearly the same rate (see below).
I use 2 extended ACLs applied to an interface for filtering
inbound/outbound traffic. There is plenty of TCAM space, I don't use log
statement, "no ip unreachables" is configured on each interface.....
What I'm missing.
7604#sh access-lists 188
Extended IP access list 188
....
90 deny ip 10.0.0.0 0.255.255.255 any (14728750 matches)
....
7604#sh tcam interface TenGigabitEthernet 2/4 acl in ip
Entries from Bank 1
....
deny ospf any any (56 matches)
deny any any (5108 matches)
deny ip 240.0.0.0 15.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any (8136 matches)
deny ip 127.0.0.0 0.255.255.255 any (68 matches)
deny ip 10.0.0.0 0.255.255.255 any (15028456 matches)
....
interface TenGigabitEthernet2/4
.....
ip access-group 188 in
ip access-group 189 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip ospf cost 10
logging event link-status
load-interval 30
.....
ipv6 traffic-filter TRANSIT-PEER-V6-IN in
ipv6 nd ra suppress
no ipv6 redirects
mls netflow sampling
no cdp enable
hold-queue 1000 in
mls rate-limit unicast ip rpf-failure 0
mls rate-limit unicast ip icmp redirect 0
mls rate-limit unicast ip icmp unreachable no-route 1000 10
mls rate-limit unicast ip icmp unreachable acl-drop 1000 10
mls rate-limit unicast ip errors 1000 10
mls rate-limit all ttl-failure 1000 10
mls rate-limit all mtu-failure 1000 10
More information about the cisco-nsp
mailing list