Re: router CPU utilization on access lists? [7:75002] posted 09/09/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

M.C. van den Bovenkamp wrote:
> Elijah Savage wrote:
> > I have actually been told by TAC before IP Input, for what it
> is worth
> > :)
> Not much, anymore :-). It's been a *long* time (IOS 10.x?)
> since access
> lists were process switched, and thus would show up as extra
> time spent
> in 'IP Input'.

Yes, that's true indeed that access lists don't cause process switching
anymore, so wouldn't show up in IP Input.

Thanks for everyone's advice. It sounds like Marty has the right approach.
Although access lists aren't process switched, they are generally fast
switched unless the router supports some other feature (like silicon
switching) or some fancy configuration like CEF or NetFlow?

So, the thing to look for is a high utilization caused by interrupts (the
number after the slash).

I can't safely turn them off and test, so I think I will try to simulate the
network and traffic in a lab to test my theory that they are an issue.

It's a 2621 router with lots of entries in the access lists that are
applied. I think it's time to offload a lot of the policy represented by the
lists to a PIX firewall.

Here's a good URL on troubleshooting high CPU util, by the way:



> 		Regards,
> 			Marco.

