On Tue, Jan 26, 2010 at 3:15 PM, Sven 'Darkman' Michels <s...@darkman.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Pavel Skovajsa schrieb: >> Hi Sven, >> >> I had not exactly the same but similar issues but with 7606 - see >> http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I >> learned from TAC that the issue was with the fact that I used it in >> combination with VRFs and the traffic got incorrectly punted into 7606 >> MSFC CPU where there are hardware rate limiters (show mls rate-limit). > > But since i don't use VRFs, this might be something similar? > > i checked the rate limit, but i'm not familar with the output... maybe you > can see something: > #show mls rate-limit > Sharing Codes: S - static, D - dynamic > Codes dynamic sharing: H - owner (head) of the group, g - guest of the group > > Rate Limiter Type Status Packets/s Burst Sharing > --------------------- ---------- --------- ----- ------- > MCAST NON RPF Off - - - > MCAST DFLT ADJ On 100000 100 Not sharing > MCAST DIRECT CON Off - - - > ACL BRIDGED IN Off - - - > ACL BRIDGED OUT Off - - - > IP FEATURES Off - - - > ACL VACL LOG On 2000 1 Not sharing > CEF RECEIVE Off - - - > CEF GLEAN Off - - - > MCAST PARTIAL SC On 100000 100 Not sharing > IP RPF FAILURE On 100 10 Group:0 S > TTL FAILURE Off - - - > ICMP UNREAC. NO-ROUTE On 100 10 Group:0 S > ICMP UNREAC. ACL-DROP On 100 10 Group:0 S > ICMP REDIRECT Off - - - > MTU FAILURE Off - - - > MCAST IP OPTION Off - - - > UCAST IP OPTION Off - - - > LAYER_2 PDU Off - - - > LAYER_2 PT Off - - - > LAYER_2 PORTSEC Off - - - > IP ERRORS On 100 10 Group:0 S > CAPTURE PKT Off - - - > MCAST IGMP Off - - - > MCAST IPv6 DIRECT CON Off - - - > MCAST IPv6 ROUTE CNTL Off - - - > MCAST IPv6 *G M BRIDG Off - - - > MCAST IPv6 SG BRIDGE Off - - - > MCAST IPv6 DFLT DROP Off - - - > MCAST IPv6 SECOND. DR Off - - - > MCAST IPv6 *G BRIDGE Off - - - > MCAST IPv6 MLD Off - - - > IP ADMIS. ON L2 PORT Off - - - >
Actually the correct command is "show mls rate-limit usage". The easiest way to find out whether this is something connected to CPU punt is to configure " no mls rate-limit unicast ip icmp unreachable no-route", however this may have some impact on production device, if you have any situation where traffic matches no-route situation in hardware and gets punted to CPU and overwhelming it...... As another idea you can try to "localize" the issue to the 6509 only simply by taking a free port on 6509 and testing PVLAN end-user port on that one. > >> Anyway, try upgrading the 6509 I am sure some old SXD code has number >> of bugs around this. > > By upgrading you mean a newer software release, i hope? ;) Exactly.... ....also forgot to mention that for PVLANs to work you need to use golden RJ45 connectors :) ... joking -pavel > > Thanks again! > > Regards, > Sven > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkte+P4ACgkQQoCguWUBzBxVwACdF8AE7fZcd/pWnTEylqhrOPAZ > TLEAnAx1xOXWx5hS4akjsWKAj6OktlMO > =o1at > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/