62-7
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Troubleshooting High CPU Due to ACLs
Troubleshooting High CPU Due to ACLs
Packets that match entries in fully programmed ACLs are processed in hardware.
Note
Large ACL and IPSG configurations may exhaust TCAM masks on the Catalyst 4948E Ethernet Switch
before the ACLs are fully programmed.
Packets that match entries in partially programmed ACLs are processed in software using the CPU. This
may cause high CPU utilization and packets to be dropped.
CPU spikes and connectivity loss may be observed when an ACL applied to a VLAN interface blocks
HSRP management multicast traffic. In this scenario where both HSRP member devices may become
Active, the resulting high number of IPv6 Neighbor Discovery packets being lifted to the CPU may cause
a spike. To avoid this, ensure that the active and the standby devices in HSRP can communicate.
Additionally, do not configure the IPv6 HSRP multicast address in the ACL.
To determine whether packets are being dropped due to high CPU utilization, reference the following:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml
If the ACL and/or IPSG configuration is partially programmed in hardware, upgrading to
Cisco IOS Release 12.2(31)SGA or later and resizing the TCAM regions may enable the ACLs to be
fully programmed.
Note
Removal of obsolete TCAM entries can take several CPU process review cycles to complete. This
process may cause some packets to be switched in software if the TCAM entry or mask utilization is at
or near 100 percent.
Selecting Mode of Capturing Control Packets
In some deployments, you might want to bridge control packets in hardware rather than globally capture
and forward them in software (at the expense of the CPU). The per-VLAN capture mode feature allows
a Catalyst 4500 Series Switch to capture control packets only on selected VLANs and bridge traffic in
hardware on all other VLANs.
When you use per-VLAN capture mode on your switch, it partially disables the global TCAM
capture entries internally and attaches feature-specific capture ACLs on those VLANs that are
enabled for snooping features. (All IP capture entries, and other non-IP entries are still captured
through global TCAM.)
Because this feature controls specific control packets, they are captured only on the VLANs on which
the internal ACLs are installed. On all other VLANs, the control traffic is bridged in hardware rather
than forwarded to CPU.
The per-VLAN capture mode allows you to apply user-defined ACLs and QoS policers (in hardware) on
control packets. You can also subject the aggregate control traffic ingressing the CPU to control plane
policing.
When you use per-VLAN capture mode, the following four protocol groups are selectable per-VLAN.
The breakdown of protocols intercepted by each group is as follows:
•
IGMP Snooping—Cgmp, Ospf, Igmp, RipV2, Pim, 224.0.0.1, 224.0.0.2, 224.0.0.*
•
DHCP Snooping—Client to Server, Server to Client, Server to Server
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...