Priscilla Oppenheimer wrote: > Yes, that's true indeed that access lists don't cause process switching > anymore, so wouldn't show up in IP Input. > Two exceptions that I failed to mention are logging and the side effect of a deny. By default, a deny causes the generation of an ICMP admin. prohibited unreachable sent to the source of the blcoked packet. Since packets cannot be created in interrupt mode, process context is required. But these are rate limited to two/second by default as self protection. Plus normal traffic shouldn't result in very many denies. But you can inhibit this entirely by configuring "no ip unreachables" on an interface.
If the matching ACE has the "log" keyword, then process context is required to create the log message and perform normal logging. This too is rate-limited. > Thanks for everyone's advice. It sounds like Marty has the right approach. > Although access lists aren't process switched, they are generally fast > switched unless the router supports some other feature (like silicon > switching) or some fancy configuration like CEF or NetFlow? > > So, the thing to look for is a high utilization caused by interrupts (the > number after the slash). > > I can't safely turn them off and test, so I think I will try to simulate the > network and traffic in a lab to test my theory that they are an issue. > > It's a 2621 router with lots of entries in the access lists that are > applied. I think it's time to offload a lot of the policy represented by the > lists to a PIX firewall. > You can "tune" the lists by letting it run for a while and then noting the match counts (show access-list). Within each grouping of permit entries, you can reorder the statements to reduce the number of entries that must be compared to reach a match. If the ACL processing is as efficient as possible but is really impacting CPU utilization, then you could enable the turbo ACL feature (access-list compiled). Unfortunately, that's still only available on higher-end platforms, from 3700s on up. > Here's a good URL on troubleshooting high CPU util, by the way: > > http://www.cisco.com/warp/public/63/highcpu.html > > Thanks > > Priscilla > - Marty Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75095&t=75002 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
