1. Home
  2. Cisco Systems
  3. ACL issue on Catalyst 6509 with SUP1A-2GE

ACL issue on Catalyst 6509 with SUP1A-2GE

Hi there,

I am experiencing strange behavior on our Core L3 Switch that is running IOS release 12.1(13)E4. I configured a reflexive access-list consisting of no more than 10-15 lines and bound this access-list to a SVI.

As soon as this access-list is active on that interface, the entire InterVLAN-traffic is process-switched and the CPU utilization raises up to 80-90%.

This is the only access-list on this switch, so the problem seems not do be related to exhaustion of the tcam:

---------- *snip* ---------- core-switch#show fm summary Current global ACL merge algorithm: ODM ODM optimizations enabled Interface: Vlan317 is up ACL merge algorithm used: inbound direction: ODM outbound direction: ODM TCAM screening for features is ACTIVE outbound TCAM screening for features is ACTIVE inbound

core-switch#

---------- *snap* ----------

---------- *snip* ---------- core-switch#show tcam counts Used Free Percent Used Reserved ---- ---- ------------ -------- Labels: 4 508 0

ACL_TCAM Masks: 10 2038 0 0 Entries: 35 16349 0 0

LOU: 0 64 0 ANDOR: 1 7 12 ORAND: 0 8 0

core-switch#

---------- *snap* ----------

---------- *snip* ---------- core-switch#show int vlan317 stats Vlan317 Switching path Pkts In Chars In Pkts Out Chars Out Processor 471958343 1075914751 498524032 1275978473 Route cache 115707 30359487 60398 5746536 Distributed cache 0 0 0 0 Total 472074050 1106274238 498584430 1281725009 core-switch#

---------- *snap* ----------

Any further ideas?

Thanks in advance, Martin

Reply to
Martin Turba
Loading thread data ...

do a bug serach on Cisco's CCO site

Reply to
Merv

Thanks Merv, but I already searched for bugs on CCO and couldn't find any listed.

Reply to
Martin Turba

My guess would be that your particular ACL configuration is not supported on your hardware.

formatting link
Understanding Cisco IOS ACL Support applies to 12.2SX

Please post details of hardware, eg. msfc, pfc, and ACL config.

Reply to
anybody43

Thanks for your reply. My first guess has also been that our hardware does not support this ACL in hardware, but given that I understand this document, it should well be supported.

We are running 2 Supervisor-Engines (WS-X6K-SUP1A-2GE) with Policy Feature Card (WS-F6K-PFC 1.0) and MSFC daughterboard (WS-F6K-MSFC 1.2). Our ACL looks like that:

---------- *snip* ---------- core-switch# show access-list Extended IP access list acl_in evaluate back-acl_out Extended IP access list acl_out permit ip host any permit ip host any permit udp host eq domain any permit udp host eq ntp any permit tcp any eq www any permit ip host any reflect back-acl_out permit ip host any reflect back-acl_out permit ip host any reflect back-acl_out permit ip host any reflect back-acl_out permit ip host any reflect back-acl_out Reflexive IP access list back-acl_out core-switch#

---------- *snap* ----------

This is the configuration of the SVI:

---------- *snip* ---------- interface Vlan317 ip address a.b.c.d 255.255.255.0 ip access-group acl_in in ip access-group acl_out out no ip redirects no ip unreachables end

---------- *snap* ----------

Reply to
Martin Turba

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.