06-24-2010 06:59 PM - edited 03-04-2019 08:53 AM
hi,
i was checking today the document "Troubleshooting High CPU Utilization Due to Interrupts". This talks about cpu load due to long access lists and also talks about using netflow switching with CEF to improve the process of access list and switching, this is the text:
"As a general rule of thumb, any access list with over ten lines is considered long.
Repeatedly going over long access lists is very CPU−intensive. With NetFlow switching, if
the flow is already in the cache, you no longer need to check the access list. So in this case,
NetFlow switching would be useful. You can enable NetFlow switching by issuing the ip
route−cache flow command.
Note that if Cisco Express Forwarding and NetFlow are both configured on an interface,
Cisco Express Forwarding will be used to make a switching decision, and NetFlow cache will
be used to speed up ACL checking and accounting purposes."
This is a document for 7500 series. I would like to know if this can be take as a best practice for other cisco platforms and can be used to improve perfomance when long access lists are applied to an interface, or if there is some limitation about using this.
thanks all for your replies.
06-25-2010 03:28 AM
Hello Fernando,
what platform are you intested in? with what IOS image running on it?
to reduce cpu usage caused by ACLs you could think to use turbo ACL
Hope to help
Giuseppe
06-26-2010 11:00 AM
thanks giuseppe for your reply,
i knew that turbo acls will be mentioned in the reply, for my understanding turbo acls applies for the big platforms like 7200, 7500, 1200, ASA, FWSM, 6500, and others series (pls tell me if there is any exception for this), but what about platforms like ISRs, 3700s, and others, im not sure if you can use turbo acls on this platforms, if that is not the case its ok to use netflow switching with CEF in the interfaces?
thanks again.
06-27-2010 09:52 PM
Fernando
It would be interesting to know the date of publication of the article that discusses flow switching. I suspect that it is pretty old. There was a switching path for "flow switching" but only for a fairly short time. Cisco retained flow switching concepts in implementing NetFlow tracking of forwarding of packets and the command ip route-cache flow enables this. But it no longer enables "flow switching" as a packet forwarding method. CEF is now the packet switching method that is used when packets are not process switched.
HTH
Rick
03-26-2016 11:59 AM
Nice information to know.
06-27-2010 10:30 PM
Hello Fernando,
>> if that is not the case its ok to use netflow switching with CEF in the interfaces?
this is possible for sure on those high end platforms that you have mentioned I have configured many times successfully.
On ISR it should be possible too as you can find many examples here in the forums
have a look at Cisco IOS 12.4T netflow configuration guide
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_4t/nf_12_4t_book.html
see
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/cfg_nflow_data_expt.html#wp1058333
We don't disable CEF to enable netflow instead. Rather we can add netflow as a way to perform flow based accounting.
Scalability is achieved by sampling that can be deterministic or random depending on IOS versions and platforms.
So I agree with Rick that flow switching is not current anymore.
to be noted: when I tested turbo ACL on C7500 we could see that turbo ACL traffic was not processed in a distributed fashion on VIP processors but by central processor RSP4. But it was 8 years ago
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: