05-12-2007 06:38 AM - edited 03-03-2019 04:57 PM
We are running a network, where we have border, core and access as cisco suggest.
Border<---- ---->Access
| |
| |
-----------Core------
We are using a simple access-list on Core router to permit our IP?s. Like if traffic is from 10.10.10.0 255.255.225.0 permit rest deny. Well, whatever I have permitted it?s running fine. Whenever I try to permit another any IP or Network, latency/delay increase in 1000s ms
For example I want to add another network like 132.xxx.xxx.x 255.255.255.0 and. I?m pretty sure there is no traffic from that source IP or Network which belongs to this class, my network latency increase upto 1000s ms. When I remove that entry from the access list, it take 5 to 10 seconds and become normal.
Have you guys faced such a problem?
05-12-2007 06:40 AM
Very strange... never faced a problem like this before
Can you post your configs
Narayan
05-12-2007 06:48 AM
I have changed our IPs :)but the conf is same as it is..
Whenever I permit another network in above access list all network delay increase in 1000s ms. When I remove that Network, it remains okk..
One thing is interesting if the IP or Network already in the access-list I can remove or update that part of the access-list without any problem.
Note: This access-list is not being used in any pbr/rotue-map things.
05-13-2007 03:09 AM
Hi,
I quess you have reached the max-limit of enteries in you acl.
BR,
Bjornarsb
05-12-2007 07:01 AM
Hi,
First try not to apply acl's on the core router. According to good cisco design a core router is supposed to just push traffic.
I've seen this problem on cisco 12000 routers line cards. So what type of core router do you have?
Based on the line-card you have you have a max-limit on entries in your acl ! (128)
Have you tried this ?
to use access list (ACL) performance improvements, use the access-list hardware global configuration command.
HTH
Regards,
Bjornarsb
05-13-2007 05:54 AM
Router type/model is : 7507 RSP 8 VIP 2
Well, the intresting thing I can add more entries into access-list if the IPs network already exist.
Whenever I try add an access-list which IPs/network is not listed in the access-list the problem come.
Have you guys seen any limit like number of maximum network/subnet in an access-list?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide