cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
589
Views
0
Helpful
3
Replies

CPU usage intermittently high on 6500 with access-lists

gautamzone
Level 1
Level 1

Dear friends,

There is  a 6509 switch with Sup 720 running SXH 2a modular IOS. This switch acts as a collapsed distribution for a bank network in one building. There was an audit done where access-lists where recommended on vlans with log keyword.

After putting the access-lists with log keyword, the cpu utilization continuously remains at 25-30% average and sometimes shoots up to above 90%.

We got to know this after pulling monthly high incident reports from MARS.

After i immediately remove the access-lists, the core cpu utilization drops down to 6% and never goes beyond 12-15%.

Clearly, we have isolated the issue to access-lists. However, removing the access-list again does not help us fulfill the audit measures!!

Is there any suggestions on how to keep the access-list as well as not overburden the CPU.

 

Thanks a lot

Gautam

3 Replies 3

ranraju
Cisco Employee
Cisco Employee

is it possible for you to remove the log keyword from the ACL... its apparent that this is causing the high CPU.

The CPU has to generate these syslog messages and hence it gets overburdened, and when you remove the log keyword this should bring down CPU utilization considerably down. I don't see any other workaround for this.

Regards,

ranraju

The log keyword was an audit measure! If we remove it, it calls for a justification to the auditor!!

I am just wondering if there is any other way.

Gautam,

Using the log option in an ACL is absolutely not a serious audit tool, either. There is a throttling mechanism in place that causes only a subset of all matches to be logged, therefore relying on the log option to log all incidents is not reliable. If using the log keyword in your ACLs was directly mandated by your auditor then I must doubt his competency in this particular issue.

I am afraid there is not much you can do. Either you must find another way to detect and log violations in your network (which is why IDS and IPS systems exist), or you have to accept that the CPU on your 6500s will be spiked up. The log keyword is not intended to be used as a permanent reporting tool for security audits, and trying to misuse it for these purposes will backfire, as you can see yourself.

Best regards,

Peter

Review Cisco Networking for a $25 gift card