CPU high utilization with wccp acl and GGRE with 6509

Answered Question
Sep 4th, 2010

hi all

I have 3 questions

I've 2 wae-7371 with 2 cisco 6509 in DC

my interception is wccp and egress method is GGRE

Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out

my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any

when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any

then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal

Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is

interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end

my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?

Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509

thanks

I have this problem too.
0 votes
Correct Answer by Bhavin Yadav about 6 years 4 months ago

Hi Chiao,

Answers for you:

Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out

my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any

when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any

then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal

Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.

Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is

interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end

my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?

Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.

Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509

Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.

Hope this helps.

Regards.

PS: Please mark this as Answered, if this answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Bhavin Yadav Mon, 09/06/2010 - 16:26

Hi Chiao,

Answers for you:

Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out

my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any

when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any

then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal

Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.

Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is

interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end

my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?

Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.

Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509

Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.

Hope this helps.

Regards.

PS: Please mark this as Answered, if this answers your question.

kanechang Mon, 09/06/2010 - 18:38

HI~ Bhavin Yadav

thanks for your response

In Q1

The GGRE method overcomes the cpu high with process in software process

it allows packets to be processed in hardware on platforms.

so, as GGRE are process in hardware, why cpu spike to 100% when I modify wccp redirect-list

InQ3

In cisco documents said, if wae are l2 adjacent to wccp server

the router-list sould set wae subnet(vlan248)

so, now i configured my wae subnet vlan 248 as tunnel source

I just want to cofirm this.

thanks

Bhavin Yadav Tue, 09/07/2010 - 12:18

Hi Chia,

Whether you use GGRE or GRE, 6509 has to reprogram everything in the TCAM table which will spike the CPU momentarily. The GGRE will save the CPU cylce only when the redirection starts happening.

InQ3

In cisco documents said, if wae are l2 adjacent to wccp server the router-list sould set wae subnet(vlan248. so, now i configured my wae subnet vlan 248 as tunnel source I just want to cofirm this.: Yes, you should be good looking at the interface config but I would suggest you to contact your network designer and confirm this. From WCCP perspective, you are good.

Hope this answers your question.

Regards.

If this answers your question, please mark this as Answered.

kanechang Tue, 09/07/2010 - 19:54

Hi Bhavin Yadav

thanks for your response

last questions.

now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy

if I only use permit in my acl, no deny any more

will cpu spike 100% time become less ?

I know "deny" is process in software with switch-base platform

when acl policy process in software, the acl counter will increase, vise versa in hardware

in my acl,

only "deny" increase counter, "permit" with no counter.

so,

Q1

will cpu spike 100% time become less if I use permit only in acl

Q2

this "acl" include all acl in 6509 or only wccp redirect-list acl ?

Q3

in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??

Q4

could you provide me cisco documents about 6509 cpu spike 100% with GRE ?

thank you so much

Bhavin Yadav Wed, 09/08/2010 - 18:16

Hi Chia,

now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy

if I only use permit in my acl, no deny any more will cpu spike 100% time become less ? Yes, this might save some CPU cycle. Basically, the bigger the ACL and more deny statements, more CPU power will be required.

I know "deny" is process in software with switch-base platform when acl policy process in software, the acl counter will increase, vise versa in hardware

in my acl,only "deny" increase counter, "permit" with no counter.

so,

Q1

will cpu spike 100% time become less if I use permit only in acl

Ans: Yes.

Q2

this "acl" include all acl in 6509 or only wccp redirect-list acl ?

Ans: only wccp redirect-lsit or the traffic that you want to go thru WCCP.

Q3

in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??

Ans: Not sure. I need to verify this.

Q4

could you provide me cisco documents about 6509 cpu spike 100% with GRE ?

Ans:  if WCCP is configured as an egress feature, or if hash-based assignment  is in use (ingress or egress), some level of software processing is  always required. There will be in an increase in CPU utilization as the first packet in each flow is software switched.

Will have to search thru and get you more details sometime later.

Regards.

kanechang Wed, 09/08/2010 - 18:27

HI~ Bhavin Yadav

thanks for your detail response

it strongs my knowlege

about Q3

if you have new informations

could you update this article

let's me know how it works

thanks

Bhavin Yadav Thu, 09/09/2010 - 12:07

Hi NChia,

Thanks for marking this as Answered.

in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??

No, it should be hardware processing in both cases but if there is a log keyword with the statement then it gets processed in software .

kanechang Thu, 09/09/2010 - 18:12

HI~ Bhavin Yadav

thanks for your response

it's confuse me with process in software or hardware.

in switch-base platform,

does it process in software when the acl counter is increase

in my environment, 6509 VSS, almost happen in deny acl

sometimes in permit, but it increase little count and never increasing

I'm sure traffic is match acl, cause WAE is optimize this traffic

so, I think permit counter increase when the acl reprograme TCAM table

it is process in software this time, then process in hardware

in routers, like cisco2921

regardless permit or deny, the counter is always increasing when the traffic match acl

anyway,

this is my say

in switch-base platform, the acl counter increase when deny or reprograme TCAM table in software process

in route-base platform, the acl couter increase regardless permit or deny in software process

but I'm not sure it's correct.

thanks

Bhavin Yadav Fri, 09/10/2010 - 17:49

Hi Chia,

My previous comment was only for the switch, not for routers. That was the update I received from our LAN Switching expert.

Regards.

Actions

This Discussion