Access Lists on Vlan Interface - Slow Performance

sgalloway · ‎07-30-2015

Hi Community,

I am trying to restrict internet only access for a specific vlan e.g ( 620 Vlan - 172.16.62.0/24 ) but when l apply the following access lists to the 620 Interface response time seems to be very slow ? If l remove the specific access-lists responses are much faster !!! Is it something to do with the traffic being processed against all our Vlans ?

Here are some details about the Config.. We have 4507's in a VSS configuration and a total of 57 Vlans.. I am trying to restrict guest users in Vlan 620 to only allow access to the internet but no access to all the other Vlans..

access-list 162 deny ip 172.16.62.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 162 permit ip any any

We have a default static route to the Vlan where our Edge router reside for all internet traffic

0.0.0.0 0.0.0.0 172.16.20.6

interface Vlan620
description Guest-internet Only
ip address 172.16.62.5 255.255.254.0
ip access-group 162 in
no ip redirects
ip pim sparse-mode
standby 62 ip 172.16.62.1
standby 62 priority 160
standby 62 preempt
ip cgmp
end

If l add the "log" option to the end of the "access-list 162 permit ip any any" if successfully shows me the correct permitted log traffic ( source - destination ) in the show logging output...

If you require further info please let me know..

Thanks Simon

johnd2310 · ‎07-30-2015

Hi,

If you add log to the deny statement, is the correct traffic being denied? What ip is the guest vlan using for dns?

Thanks

John

**Please rate posts you find helpful**

sgalloway · ‎07-30-2015

Hi John,

the Guest Vlan is getting the dns details from our ISP.. I am not advertising our internal DNS servers to the guests in case they try and discover internal devices...

Looks like the correct traffic is being denied.. Specific applications that are broadcasting within this vlan is getting denied which is fine...

Hitesh Vinzoda · ‎07-30-2015

Simon,

Could you try below ACL

access-list 162 permit ip 172.16.62.0 0.0.1.255 ip 172.16.62.0 0.0.1.255

access-list 162 deny ip 172.16.62.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 162 permit ip any any

Thanks

Hitesh

sgalloway · ‎08-12-2015

Hi Hitesh,

The suggested acls you recommended still allows me to ping and telnet to devices in the 172.16.0.0 subnet !

Martin Hruby · ‎07-31-2015

Dear Simon

Applying an ACL on the Catalyst 4500 series switches can cause a high cpu utilization which might adversely affect traffic forwarding. Try removing all deny statements from your access-list and only keep the permit statements. On the Catalyst 4500 series platform the access-list entries are programmed into TCAM memory and executed in hardware. Depending on the Supervisor engine, it may be possible that you exhausted your TCAM memory and therefore part of the ACLs have to be executed in software. This will cause a spike in the CPU utilization. For more detailed information see: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/66978-tcam-cat-4500.html

Check the overall health of your device with show platform health and show processes cpu history to see the CPU utilization. For more detailed information about troubleshooting also have a look at: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/65591-cat4500-high-cpu.html

Best regards,
Martin