09-04-2010 07:46 PM
hi all
I have 3 questions
I've 2 wae-7371 with 2 cisco 6509 in DC
my interception is wccp and egress method is GGRE
Q1.
I use wccp redirect-list with 6509
like...
ip wccp 61 redirect-list wccp_in
ip wccp 62 redirect-list wccp_out
my access-list extend wccp_in like
deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)
.....
permit tcp any any
when i modify wccp acl , like add new one rule
1 deny tcp 2.2.2.0 0.0.0.255 any
then the 6509 cpu utilization will pick up to 100% about 1min
then down to normal
Q2
last day, I changed the wae-7371 egress method from IP Forwarding to GGRE
I find the optimization traffic in wae-7371 become less after egress method is GGRE
my GGRE config in 6509 is
interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end
my question is change egress method from ip forwarding to GGRE
will it affect the optimization traffic?
Q3
in my tunnel7371 configuration
the tunnel source is set vlan248 now
that's my wae subnet
if I change this to loopback will affect anything?
my wae is adjacnet to 6509
thanks
Solved! Go to Solution.
09-06-2010 04:26 PM
Hi Chiao,
Answers for you:
Q1.
I use wccp redirect-list with 6509
like...
ip wccp 61 redirect-list wccp_in
ip wccp 62 redirect-list wccp_out
my access-list extend wccp_in like
deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)
.....
permit tcp any any
when i modify wccp acl , like add new one rule
1 deny tcp 2.2.2.0 0.0.0.255 any
then the 6509 cpu utilization will pick up to 100% about 1min
then down to normal
Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.
Q2
last day, I changed the wae-7371 egress method from IP Forwarding to GGRE
I find the optimization traffic in wae-7371 become less after egress method is GGRE
my GGRE config in 6509 is
interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end
my question is change egress method from ip forwarding to GGRE
will it affect the optimization traffic?
Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.
Q3
in my tunnel7371 configuration
the tunnel source is set vlan248 now
that's my wae subnet
if I change this to loopback will affect anything?
my wae is adjacnet to 6509
Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question.
09-06-2010 04:26 PM
Hi Chiao,
Answers for you:
Q1.
I use wccp redirect-list with 6509
like...
ip wccp 61 redirect-list wccp_in
ip wccp 62 redirect-list wccp_out
my access-list extend wccp_in like
deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)
.....
permit tcp any any
when i modify wccp acl , like add new one rule
1 deny tcp 2.2.2.0 0.0.0.255 any
then the 6509 cpu utilization will pick up to 100% about 1min
then down to normal
Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.
Q2
last day, I changed the wae-7371 egress method from IP Forwarding to GGRE
I find the optimization traffic in wae-7371 become less after egress method is GGRE
my GGRE config in 6509 is
interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end
my question is change egress method from ip forwarding to GGRE
will it affect the optimization traffic?
Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.
Q3
in my tunnel7371 configuration
the tunnel source is set vlan248 now
that's my wae subnet
if I change this to loopback will affect anything?
my wae is adjacnet to 6509
Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question.
09-06-2010 06:38 PM
HI~ Bhavin Yadav
thanks for your response
In Q1
The GGRE method overcomes the cpu high with process in software process
it allows packets to be processed in hardware on platforms.
so, as GGRE are process in hardware, why cpu spike to 100% when I modify wccp redirect-list
InQ3
In cisco documents said, if wae are l2 adjacent to wccp server
the router-list sould set wae subnet(vlan248)
so, now i configured my wae subnet vlan 248 as tunnel source
I just want to cofirm this.
thanks
09-07-2010 12:18 PM
Hi Chia,
Whether you use GGRE or GRE, 6509 has to reprogram everything in the TCAM table which will spike the CPU momentarily. The GGRE will save the CPU cylce only when the redirection starts happening.
InQ3
In cisco documents said, if wae are l2 adjacent to wccp server the router-list sould set wae subnet(vlan248. so, now i configured my wae subnet vlan 248 as tunnel source I just want to cofirm this.: Yes, you should be good looking at the interface config but I would suggest you to contact your network designer and confirm this. From WCCP perspective, you are good.
Hope this answers your question.
Regards.
If this answers your question, please mark this as Answered.
09-07-2010 07:54 PM
Hi Bhavin Yadav
thanks for your response
last questions.
now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy
if I only use permit in my acl, no deny any more
will cpu spike 100% time become less ?
I know "deny" is process in software with switch-base platform
when acl policy process in software, the acl counter will increase, vise versa in hardware
in my acl,
only "deny" increase counter, "permit" with no counter.
so,
Q1
will cpu spike 100% time become less if I use permit only in acl
Q2
this "acl" include all acl in 6509 or only wccp redirect-list acl ?
Q3
in switch-base platform
"deny" process in software
"permit" process in hardware
is it correct??
Q4
could you provide me cisco documents about 6509 cpu spike 100% with GRE ?
thank you so much
09-08-2010 06:16 PM
Hi Chia,
now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy
if I only use permit in my acl, no deny any more will cpu spike 100% time become less ? Yes, this might save some CPU cycle. Basically, the bigger the ACL and more deny statements, more CPU power will be required.
I know "deny" is process in software with switch-base platform when acl policy process in software, the acl counter will increase, vise versa in hardware
in my acl,only "deny" increase counter, "permit" with no counter.
so,
Q1
will cpu spike 100% time become less if I use permit only in acl
Ans: Yes.
Q2
this "acl" include all acl in 6509 or only wccp redirect-list acl ?
Ans: only wccp redirect-lsit or the traffic that you want to go thru WCCP.
Q3
in switch-base platform
"deny" process in software
"permit" process in hardware
is it correct??
Ans: Not sure. I need to verify this.
Q4
could you provide me cisco documents about 6509 cpu spike 100% with GRE ?
Ans: if WCCP is configured as an egress feature, or if hash-based assignment is in use (ingress or egress), some level of software processing is always required. There will be in an increase in CPU utilization as the first packet in each flow is software switched.
Will have to search thru and get you more details sometime later.
Regards.
09-08-2010 06:27 PM
HI~ Bhavin Yadav
thanks for your detail response
it strongs my knowlege
about Q3
if you have new informations
could you update this article
let's me know how it works
thanks
09-09-2010 12:07 PM
Hi NChia,
Thanks for marking this as Answered.
in switch-base platform
"deny" process in software
"permit" process in hardware
is it correct??
No, it should be hardware processing in both cases but if there is a log keyword with the statement then it gets processed in software .
09-09-2010 06:12 PM
HI~ Bhavin Yadav
thanks for your response
it's confuse me with process in software or hardware.
in switch-base platform,
does it process in software when the acl counter is increase
in my environment, 6509 VSS, almost happen in deny acl
sometimes in permit, but it increase little count and never increasing
I'm sure traffic is match acl, cause WAE is optimize this traffic
so, I think permit counter increase when the acl reprograme TCAM table
it is process in software this time, then process in hardware
in routers, like cisco2921
regardless permit or deny, the counter is always increasing when the traffic match acl
anyway,
this is my say
in switch-base platform, the acl counter increase when deny or reprograme TCAM table in software process
in route-base platform, the acl couter increase regardless permit or deny in software process
but I'm not sure it's correct.
thanks
09-10-2010 05:49 PM
Hi Chia,
My previous comment was only for the switch, not for routers. That was the update I received from our LAN Switching expert.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide