Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
447
Views
0
Helpful
3
Replies

CPU usage intermittently high on 6500 with access-lists

gautamzone
Level 1
Level 1

ā€Ž03-15-2011 12:12 AM - edited ā€Ž03-06-2019 04:05 PM

Dear friends,

There is  a 6509 switch with Sup 720 running SXH 2a modular IOS. This switch acts as a collapsed distribution for a bank network in one building. There was an audit done where access-lists where recommended on vlans with log keyword.

After putting the access-lists with log keyword, the cpu utilization continuously remains at 25-30% average and sometimes shoots up to above 90%.

We got to know this after pulling monthly high incident reports from MARS.

After i immediately remove the access-lists, the core cpu utilization drops down to 6% and never goes beyond 12-15%.

Clearly, we have isolated the issue to access-lists. However, removing the access-list again does not help us fulfill the audit measures!!

Is there any suggestions on how to keep the access-list as well as not overburden the CPU.

 

Thanks a lot

Gautam

Labels:
0 Helpful
3 Replies 3

ranraju
Cisco Employee
Cisco Employee

ā€Ž03-15-2011 12:33 AM

is it possible for you to remove the log keyword from the ACL... its apparent that this is causing the high CPU.

The CPU has to generate these syslog messages and hence it gets overburdened, and when you remove the log keyword this should bring down CPU utilization considerably down. I don't see any other workaround for this.

Regards,

ranraju

0 Helpful

gautamzone
Level 1
Level 1
In response to ranraju

ā€Ž03-15-2011 12:37 AM

The log keyword was an audit measure! If we remove it, it calls for a justification to the auditor!!

I am just wondering if there is any other way.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to gautamzone

ā€Ž03-15-2011 12:46 AM

Gautam,

Using the log option in an ACL is absolutely not a serious audit tool, either. There is a throttling mechanism in place that causes only a subset of all matches to be logged, therefore relying on the log option to log all incidents is not reliable. If using the log keyword in your ACLs was directly mandated by your auditor then I must doubt his competency in this particular issue.

I am afraid there is not much you can do. Either you must find another way to detect and log violations in your network (which is why IDS and IPS systems exist), or you have to accept that the CPU on your 6500s will be spiked up. The log keyword is not intended to be used as a permanent reporting tool for security audits, and trying to misuse it for these purposes will backfire, as you can see yourself.

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card