11-04-2010 04:02 AM - edited 03-06-2019 01:53 PM
does anyone face issues with reflexive ACL in 6500 (With SUP-720-10G). infact the ACL entreies are too big and switch was working fine for almost three days on production, all of a sudden the device went to 100% utilization and network crashed. please share if anyone had similar experience with the switch
IOS version is : s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin
SH module output
------------------ show module ------------------
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 6 Firewall Module WS-SVC-FWM-1 SAL1425KV5T
3 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06427JU6
4 48 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX SAL1222SEBS
5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAL1430NK4L
6 48 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX SAL09496ZNL
7 48 SFM-capable 48-port 10/100 Mbps RJ45 WS-X6548-RJ-45 SAL06468G7P
9 48 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX SAD0753014Y
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 5475.d062.6dd0 to 5475.d062.6dd7 4.5 7.2(1) 4.0(4) Ok
3 0009.11e6.7ca8 to 0009.11e6.7cb7 5.1 6.3(1) 12.2(33)SXI2 Ok
4 001d.70a4.d460 to 001d.70a4.d48f 7.2 7.2(1) 12.2(33)SXI2 Ok
5 c47d.4ffd.fc20 to c47d.4ffd.fc27 3.2 8.5(4) 12.2(33)SXI2 Ok
6 0016.4674.ad84 to 0016.4674.adb3 1.1 7.2(1) 12.2(33)SXI2 Ok
7 0009.11e7.8ab4 to 0009.11e7.8ae3 5.1 6.3(1) 12.2(33)SXI2 Ok
9 000e.d70f.9040 to 000e.d70f.906f 6.0 7.2(1) 12.2(33)SXI2 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
5 Policy Feature Card 3 VS-F6K-PFC3C SAL1429NGHZ 1.1 Ok
5 MSFC3 Daughterboard VS-F6K-MSFC3 SAL1428MDXU 5.0 Ok
Mod Online Diag Status
---- -------------------
1 Pass
3 Pass
4 Pass
5 Pass
6 Pass
7 Pass
9 Pass
11-08-2010 01:28 PM
Hello Najeeb,
Make sure you have enough tcam space in order to program all your RACL s in hardware, if not taffic will be punted to the CPU for process switching. Please check the following outputs.
sh tcam counts
Sometimes if you have multiple features configured on that SVI or layer 3 interfaces, there might be conflicts programming all that
features in hardware, following are some outputs that you can verify this.
sh fm summary < --- run this command and see if you have any inactive intefaces inbound or outbound. If there are any inactive interfaces
select the interfaces which are inactive and then run the below commnad.
sh fm fie interface < x/x> ( from this output you can see if there are conflicts programming those features in hardware)
Additional inforamtion.
- There are limitations when it comes to configuring features on lSVI or L3 interfaces.
- On this code bydefault ODM alogrythm is enabled, so I hope you have not changed the default.
Please read the following document and this is a very good document regarding this issue and expains step by step how to troubleshoot these
types of issues.
***************************************************************************************************************
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/65acl_wp.pdf
Let me know if you have any questions and hope this helps.
Ruvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide