ACL issue on Catalyst 6509 with SUP1A-2GE

Discussion in 'Cisco' started by Martin Turba, Mar 13, 2005.

  1. Martin Turba

    Martin Turba Guest

    Hi there,

    I am experiencing strange behavior on our Core L3 Switch that is running
    IOS release 12.1(13)E4. I configured a reflexive access-list consisting
    of no more than 10-15 lines and bound this access-list to a SVI.

    As soon as this access-list is active on that interface, the entire
    InterVLAN-traffic is process-switched and the CPU utilization raises up
    to 80-90%.

    This is the only access-list on this switch, so the problem seems not do
    be related to exhaustion of the tcam:



    ---------- *snip* ----------
    core-switch#show fm summary
    Current global ACL merge algorithm: ODM
    ODM optimizations enabled
    Interface: Vlan317 is up
    ACL merge algorithm used:
    inbound direction: ODM
    outbound direction: ODM
    TCAM screening for features is ACTIVE outbound
    TCAM screening for features is ACTIVE inbound

    core-switch#
    ---------- *snap* ----------


    ---------- *snip* ----------
    core-switch#show tcam counts
    Used Free Percent Used Reserved
    ---- ---- ------------ --------
    Labels: 4 508 0

    ACL_TCAM
    Masks: 10 2038 0 0
    Entries: 35 16349 0 0

    LOU: 0 64 0
    ANDOR: 1 7 12
    ORAND: 0 8 0

    core-switch#
    ---------- *snap* ----------


    ---------- *snip* ----------
    core-switch#show int vlan317 stats
    Vlan317
    Switching path Pkts In Chars In Pkts Out Chars Out
    Processor 471958343 1075914751 498524032 1275978473
    Route cache 115707 30359487 60398 5746536
    Distributed cache 0 0 0 0
    Total 472074050 1106274238 498584430 1281725009
    core-switch#
    ---------- *snap* ----------



    Any further ideas?

    Thanks in advance,
    Martin
    Martin Turba, Mar 13, 2005
    #1
    1. Advertising

  2. Martin Turba

    Merv Guest

    do a bug serach on Cisco's CCO site
    Merv, Mar 13, 2005
    #2
    1. Advertising

  3. Martin Turba

    Martin Turba Guest

    Merv wrote:
    > do a bug serach on Cisco's CCO site


    Thanks Merv,
    but I already searched for bugs on CCO and couldn't find any listed.
    Martin Turba, Mar 14, 2005
    #3
  4. Martin Turba

    Guest

    , Mar 14, 2005
    #4
  5. Martin Turba

    Martin Turba Guest

    wrote:
    > My guess would be that your particular ACL configuration
    > is not supported on your hardware

    Thanks for your reply. My first guess has also been that our hardware
    does not support this ACL in hardware, but given that I understand this
    document, it should well be supported.

    > Please post details of hardware, eg. msfc, pfc,
    > and ACL config.


    We are running 2 Supervisor-Engines (WS-X6K-SUP1A-2GE) with Policy
    Feature Card (WS-F6K-PFC 1.0) and MSFC daughterboard (WS-F6K-MSFC 1.2).
    Our ACL looks like that:


    ---------- *snip* ----------
    core-switch# show access-list
    Extended IP access list acl_in
    evaluate back-acl_out
    Extended IP access list acl_out
    permit ip host <outside-ip1> any
    permit ip host <outside-ip2> any
    permit udp host <outside-ip3> eq domain any
    permit udp host <outside-ip3> eq ntp any
    permit tcp any eq www any
    permit ip host <inside-ip1> any reflect back-acl_out
    permit ip host <inside-ip2> any reflect back-acl_out
    permit ip host <inside-ip3> any reflect back-acl_out
    permit ip host <inside-ip4> any reflect back-acl_out
    permit ip host <inside-ip5> any reflect back-acl_out
    Reflexive IP access list back-acl_out
    core-switch#
    ---------- *snap* ----------


    This is the configuration of the SVI:


    ---------- *snip* ----------
    interface Vlan317
    ip address a.b.c.d 255.255.255.0
    ip access-group acl_in in
    ip access-group acl_out out
    no ip redirects
    no ip unreachables
    end
    ---------- *snap* ----------
    Martin Turba, Mar 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Darren Hosking
    Replies:
    0
    Views:
    436
    Darren Hosking
    Oct 24, 2003
  2. Darren
    Replies:
    0
    Views:
    749
    Darren
    Nov 6, 2003
  3. Daniel Bourque

    6509 SUP1A memory upgrade

    Daniel Bourque, Mar 3, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,240
    Daniel Bourque
    Mar 3, 2004
  4. Daniel Bourque
    Replies:
    0
    Views:
    1,331
    Daniel Bourque
    May 18, 2004
  5. genki
    Replies:
    6
    Views:
    2,299
Loading...

Share This Page