[c-nsp] 7600 SUP720-3B PBR

Aaron aaron1 at gvtc.com
Tue Sep 18 14:45:34 EDT 2012 

Also, there was an issue that I had last year when pbr'ing http traffic
towards a web cache at my boundary (pbr w/tracking on the ip next hop
towards web cache server) , that when the web cache went down I had a
persistant cpu high utilization issue on my 7609's (which adversely affected
performance on that 7609).....  the cisco tac told me it was expected in the
version of ios I was running and that I should upgrade if I wanted to
continue with my pbr config as it was....  tac mentioned CSCsk91330 which is
integrated in IOS versions 12.2(33)SRD3 and above

I was running 12.2(33)SRC2 at the time and have rsp 720's... RSP720-3CXL-GE
(dual)   (not sure if this is similar to the cpu you are asking about)

Tac said...

*******************************************************************
Thanks for your patience so far. I went and researched on several cases and
found out that this is an expected behaviour and comes from the way the 7600
has been designed. I cannot provide you with all the technical internal
details, but I can send you this excerpt which should explain things

The forwarding code has a main purpose to find an adjacency for the packet
and this may be done by two ways (an exclusive OR should be understood
here!):

- the straight forwarding path;
- PBR.

As the exclusive OR is considered, looping back between the two possible
paths is out of question. So, if we fail to find an adjacency on PBR, the
packets MUST be punted to process level in an attempt to get it forwarded,
as straight forwarding path has been denied (because the pbr is configured)
the packet cannot be given to it  just because PBR has failed to point out
an adjacency.

The above means that if PBR is configured, the CEF path is bypassed entirely
and even if the OBR is down, CEF will not be used

There are 2 workarounds for this scenario now

1.       Tweak your route-map like this

ip access-list extended defaultroute
permit ip any any

route-map to-internet-dstport-80 permit 10
match ip address to-internet-dstport-80
set ip next-hop verify-availability 1.2.3.4 10 track 11    <-----------this
was path towards web cache

route-map to-internet-dstport-80 permit 20
match ip address defaultroute
 set ip next-hop 2.4.6.8    <-----------------this was att next hop towards
internet

This will at least take care of the traffic to the internet and  halve your
CPU utilization. For obvious reasons we cannot do the same for the incoming
route-map as we would need to add route-map statements for each and every
vlan the route-map is configured for, which is not practical.

2.       A behaviour change was raised in bug CSCsk91330, which is
integrated in IOS versions 12.2(33)SRD3 and above. Upgrading the IOS above
this version would fix the issue with your current configuration.
 You can use this IOS version:
c7600rsp72043-advipservicesk9-mz.122-33.SRD6.bin
 Please let me know which way you want to chose. I will publish this IOS
image for you in case you want decide to upgrade the IOS.

****************************************************************************
**


Aaron



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of harbor235
Sent: Tuesday, September 18, 2012 11:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7600 SUP720-3B PBR

My google fu has not turned up anything definitive on the 7600 PBR
performance, is it done in hardware or is it down in software? With or
without DFCs. Can anyone provide any insight into sup720 PBR performance?

My feeling is if we enable PBR it may negatively impact the box, assume PBR
related bandwidth to exceed 100M


thanks in advance,


Mike
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list