CPU high utilization with wccp acl and GGRE with 6509

Answered Question
Sep 4th, 2010
User Badges:

hi all


I have 3 questions


I've 2 wae-7371 with 2 cisco 6509 in DC

my interception is wccp and egress method is GGRE


Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out


my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any


when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any


then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal


Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is


interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end


my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?


Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509



thanks

Correct Answer by Bhavin Yadav about 6 years 9 months ago

Hi Chiao,

Answers for you:

Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out


my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any


when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any


then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal


Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.




Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is


interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end


my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?


Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.


Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509


Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.


Hope this helps.

Regards.


PS: Please mark this as Answered, if this answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Bhavin Yadav Mon, 09/06/2010 - 16:26
User Badges:
  • Cisco Employee,

Hi Chiao,

Answers for you:

Q1.

I use wccp redirect-list with 6509

like...

ip wccp 61 redirect-list wccp_in

ip wccp 62 redirect-list wccp_out


my access-list extend wccp_in like

deny tcp 1.1.1.0 0.0.0.255 any (needn't optimize)

.....

permit tcp any any


when i modify wccp acl , like add new one rule

1 deny tcp 2.2.2.0 0.0.0.255 any


then the 6509 cpu utilization will pick up to 100% about 1min

then down to normal


Answer: As you are using 6509 with GRE, this is expected behaviour. It will spike to CPU processing power as it has to reprogram the TCAM table one more time after WCCP flap.




Q2

last day, I changed the wae-7371 egress method from IP Forwarding to GGRE

I find the optimization traffic in wae-7371 become less after egress method is GGRE

my GGRE config in 6509 is


interface Tunnel7371
ip address 192.168.248.254 255.255.255.0
no ip redirects
ip wccp redirect exclude in
load-interval 30
tunnel source Vlan248 (wae subnet)
tunnel mode gre multipoint
end


my question is change egress method from ip forwarding to GGRE

will it affect the optimization traffic?


Answer: Nope. The optimziation should not be affected whether you use GGRE or GRE.


Q3

in my tunnel7371 configuration

the tunnel source is set vlan248 now

that's my wae subnet

if I change this to loopback will affect anything?

my wae is adjacnet to 6509


Answer: Nope. should not be a problem as fas as the loopback can reach the cache engine and vice versa.But that really doesn't matter as the Router ID will be the highest ip configured on the router. Though, what I understand is that you only plan to change the router list ip address on WAE.


Hope this helps.

Regards.


PS: Please mark this as Answered, if this answers your question.

kanechang Mon, 09/06/2010 - 18:38
User Badges:

HI~ Bhavin Yadav


thanks for your response


In Q1

The GGRE method overcomes the cpu high with process in software process

it allows packets to be processed in hardware on platforms.


so, as GGRE are process in hardware, why cpu spike to 100% when I modify wccp redirect-list


InQ3

In cisco documents said, if wae are l2 adjacent to wccp server

the router-list sould set wae subnet(vlan248)


so, now i configured my wae subnet vlan 248 as tunnel source

I just want to cofirm this.


thanks

Bhavin Yadav Tue, 09/07/2010 - 12:18
User Badges:
  • Cisco Employee,

Hi Chia,

Whether you use GGRE or GRE, 6509 has to reprogram everything in the TCAM table which will spike the CPU momentarily. The GGRE will save the CPU cylce only when the redirection starts happening.



InQ3

In cisco documents said, if wae are l2 adjacent to wccp server the router-list sould set wae subnet(vlan248. so, now i configured my wae subnet vlan 248 as tunnel source I just want to cofirm this.: Yes, you should be good looking at the interface config but I would suggest you to contact your network designer and confirm this. From WCCP perspective, you are good.


Hope this answers your question.


Regards.


If this answers your question, please mark this as Answered.

kanechang Tue, 09/07/2010 - 19:54
User Badges:

Hi Bhavin Yadav


thanks for your response


last questions.


now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy


if I only use permit in my acl, no deny any more

will cpu spike 100% time become less ?


I know "deny" is process in software with switch-base platform

when acl policy process in software, the acl counter will increase, vise versa in hardware

in my acl,


only "deny" increase counter, "permit" with no counter.


so,


Q1

will cpu spike 100% time become less if I use permit only in acl


Q2

this "acl" include all acl in 6509 or only wccp redirect-list acl ?


Q3

in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??


Q4

could you provide me cisco documents about 6509 cpu spike 100% with GRE ?


thank you so much

Bhavin Yadav Wed, 09/08/2010 - 18:16
User Badges:
  • Cisco Employee,

Hi Chia,


now, I know 6509 cpu high cause TCAM table reprogram when I modify acl policy


if I only use permit in my acl, no deny any more will cpu spike 100% time become less ? Yes, this might save some CPU cycle. Basically, the bigger the ACL and more deny statements, more CPU power will be required.


I know "deny" is process in software with switch-base platform when acl policy process in software, the acl counter will increase, vise versa in hardware

in my acl,only "deny" increase counter, "permit" with no counter.


so,


Q1

will cpu spike 100% time become less if I use permit only in acl

Ans: Yes.


Q2

this "acl" include all acl in 6509 or only wccp redirect-list acl ?

Ans: only wccp redirect-lsit or the traffic that you want to go thru WCCP.


Q3

in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??


Ans: Not sure. I need to verify this.


Q4

could you provide me cisco documents about 6509 cpu spike 100% with GRE ?

Ans:  if WCCP is configured as an egress feature, or if hash-based assignment  is in use (ingress or egress), some level of software processing is  always required. There will be in an increase in CPU utilization as the first packet in each flow is software switched.

Will have to search thru and get you more details sometime later.


Regards.

kanechang Wed, 09/08/2010 - 18:27
User Badges:

HI~ Bhavin Yadav


thanks for your detail response


it strongs my knowlege


about Q3


if you have new informations


could you update this article


let's me know how it works


thanks

Bhavin Yadav Thu, 09/09/2010 - 12:07
User Badges:
  • Cisco Employee,

Hi NChia,

Thanks for marking this as Answered.


in switch-base platform

"deny" process in software

"permit" process in hardware

is it correct??


No, it should be hardware processing in both cases but if there is a log keyword with the statement then it gets processed in software .

kanechang Thu, 09/09/2010 - 18:12
User Badges:

HI~ Bhavin Yadav


thanks for your response


it's confuse me with process in software or hardware.

in switch-base platform,

does it process in software when the acl counter is increase

in my environment, 6509 VSS, almost happen in deny acl

sometimes in permit, but it increase little count and never increasing

I'm sure traffic is match acl, cause WAE is optimize this traffic

so, I think permit counter increase when the acl reprograme TCAM table

it is process in software this time, then process in hardware


in routers, like cisco2921

regardless permit or deny, the counter is always increasing when the traffic match acl


anyway,

this is my say


in switch-base platform, the acl counter increase when deny or reprograme TCAM table in software process

in route-base platform, the acl couter increase regardless permit or deny in software process


but I'm not sure it's correct.


thanks

Bhavin Yadav Fri, 09/10/2010 - 17:49
User Badges:
  • Cisco Employee,

Hi Chia,

My previous comment was only for the switch, not for routers. That was the update I received from our LAN Switching expert.

Regards.

Actions

This Discussion