FIlter VLAN with IP ACL on C3550 causes poor performance

Unanswered Question
Sep 5th, 2007
User Badges:

Hi,


I have a customer who has a 3550. He is getting very poor performance with clients in the same VLAN. I have traced the problem back to the VLAN filter. With this removed there are no permformance issues.


I've noticed that the CPU on the switch at sat at around 50% with the VLAN Filters active.


I would assume that the filter should be applied in hardware and therefore the CPU should not be hit.


Can anyone offer any advice on how to change the the VLAN filter to improve performace? (if not I plan to just remove it and put ACL's on the layer3 vlan interfaces).


Thanks,

Chris


vlan access-map VMap1 1

action forward

match ip address 101

vlan filter VMap1 vlan-list 1-6,10,15,20-30,32-33,40,100-117,210-211


ACL 101 attached.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.julin Wed, 09/05/2007 - 13:20
User Badges:
  • Bronze, 100 points or more

That ACL is way bigger than the 3550's vlan filtering intended use. You may be able to optimize it, however.


Note that on the 3550 chassis VACLs are not called that they are called "vlan maps".


See here for optimization guidelines when vlan maps and router ACLs are combined -- even if you don't have router ACLs it might be worth a shot to follow these guidelines:


http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3550/software/release/12.1_4_ea1/configuration/guide/Swacl.html#wp1135328


Also note the "show access-lists hardware" and the "show tcam inacl" commands for diagnostics.


Actions

This Discussion