12-13-2018 11:59 PM - edited 03-08-2019 04:48 PM
Hi all
I have a issue when configure on Cisco 3850
In 3850, I created 6 SVI to routing on local and I apply ACL for 5 SVI as bellow:
ACL 100 have 155 rules
ACL 150 have 259 rules
ACL 107 have 188 rules
ACL 111 have 155 rules
ACL 112 have 290 rules
When I apply ACL 108 have 159 rule to SVI 108, CPU switch is high 80% but before I apply ACL 108, CPU is 4%. This is log from 3850:
<188>377: Dec 14 13:16:09.309 UTC: %ACL_ERRMSG-4-UNLOADED: 1 fed: Input IPv4 L3 ACL on interface Vl108 for label 12 on asic255 could not be programmed in hardware and traffic will be dropped.
When I remove ACL 108 from SVI 108, CPU is normal (4%). I read this article: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/118957-troubleshoot-sec-acl-tcam-cat3850.html. But I don't understand how to fix it?
Please help me
Thanks
12-14-2018 12:25 AM - edited 12-15-2018 02:54 PM
Raise a TAC Case. I remembered reading a bug about too many ACLs can cause high CPU.3
Please see additional comments below.
12-14-2018 03:14 AM
12-14-2018 03:27 AM
Hello,
what do your access lists look like, are you logging any of the entries (with the 'log' keyword) ?
12-14-2018 05:09 AM
12-15-2018 02:54 PM - edited 12-15-2018 02:56 PM
Found it.
Raise a TAC Case. I am very sure the issue is due to CSCvk42902.
12-15-2018 08:08 PM
12-15-2018 08:41 PM
@giangle wrote:
But I read this link, So I only Upgrade from Nova to polaris, is it right?
Try an IOS upgrade, however, the information found in the Bug ID is not reliable especially with the Known Affected Version and the Known Fixed Version.
But for now, try upgrading the IOS of the switch stack.
Let us know how you go.
12-16-2018 07:34 PM - edited 12-16-2018 07:50 PM
Hi Leo.
Because I'm using Catalyst 3850 24T-E, So can I upgrade from IOS-XE 03.06.05E to version cat3k_caa-universalk9.16.06.04a.SPA.bin (https://software.cisco.com/download/home/284455433/type/282046477/release/Everest-16.6.4a). In this release I saw this Bug ID CSCvk42902 resolved. And I am consider between cat3k_caa-universalk9.16.08.01a.SPA.bin and cat3k_caa-universalk9.16.06.04a.SPA.bin. Is it ok for 2 this version with 3850-24T-E ?
Thanks!
12-16-2018 10:22 PM
12-16-2018 10:25 PM
12-17-2018 12:13 AM
12-17-2018 01:02 AM
01-10-2019 01:18 AM
Hi Leo.
I am buying Cisco C9300 to replace for 3850 and I am considering about ACL on C9300. I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?
01-10-2019 02:00 AM
@giangle wrote:
I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?
Because the 3650/3850 and the 9K run on the same IOS-XE then whatever bug the 9K hit it will, most definitely, be found in the 3650/3850.
However, IOS upgrade can sometimes fix the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide