From: Philip L. (no email)
Date: Mon Nov 17 2008 - 21:34:28 EST
Ross Vandegrift wrote:
> On Sat, Nov 15, 2008 at 04:35:28PM -0500, Philip L. wrote:
>> One thing to note, is that our main ACL for ingress traffic is applied
>> here due to historical reasons. It's roughly 5000 single host entries
>> at present. We also use these devices for NDE.
> On a SUP7203BXL, if your ACL TCAM utilization is fine, this shouldn't
> impact performance unless you're logging too much. Since you've been
> over the CPU utilization doc, I'm guessing you know that.
> "show platform hardware capacity acl" will give you a breakdown on
> your ACL TCAM usage.
>> I'm probably missing some other key details, but what could influence
>> the SP like this? Any insight would be appreciated.
> Cisco says that Netflow-based features always handle the first packet
> of a flow in software, but I don't know if this is the RP or the SP.
> It would make sense if a first-flow packet that didn't need punting
> hit the SP and not the RP. In that case, your traffic level with
> netflow enabled could explain your high SP utilization.
It is a Sup720-3BXL. Based on the suggestions here, I went ahead and
did 'no ip flow ingress' on all the interfaces just to see, and surely
enough, the SP went down to about 10-15%. My colleague implemented
packet count-based NetFlow sampling to attempt to reduce the 100%
NetFlow TCAM usage, and it appears to be partially effective. It still
fills up frequently, so we'll have to do some more tweaking.
I appreciate all the replies, public and private.
-- Philip L.