Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

we have configured many access-list at router and memory used is 80% are the working ?

Hello,

We are going to explain our problem:

we have a 2801 router.

we have configured many access-list to allow some traffic to pass trough and interface and to redirect other traffic to another next-hope.

The percentage of used memory is: 80% which is critical.

When we use the command: sh access-list xxx  we do not see any match.

Are the access-list classifying traffic or not? Are the low free memory the cause of the problem?

We are seeing that some traffic not allowed by access-list xxx that are passign trough the interface fast 0/0 how is te reason? the free low memory ?

this is the configuration (there are more access-list this is only an example):

int fastethernet 0/0

ip address 10.128.10.2 255.255.255.252

ip policy route-map ZZZ

int fastethernet 0/1

ip address 10.10.10.1 255.255.255.0

interface fastethernet 0/2

ip address 10.254.1.6 255.255.255.252

access-list xxx

     deny ip 10.10.10.0 0.0.0.255 host 10.1.240.50

     permit ip 10.10.10.0 0.0.0.255 10.5.0.0 0.0.255.255

access-list yyy

     deny ip 10.10.10.0 0.0.0.255 host 10.1.240.50

     permit ip 10.10.10.0 0.0.0.255 10.5.0.0 0.0.255.255

route-map ZZZ permit 10

     match ip address xxx

     set ip next hope 10.128.10.1

route-map ZZZ permi 20

     match ip address yyy

     set ip next hope 10.254.1.5

  • WAN Routing and Switching
Everyone's tags (1)
6 REPLIES

Re: we have configured many access-list at router and memory use

Hi,

If you don't get hitcounts on the ACLs most likely they are not applied correctly (not working).

Also, the memory at 80% could be caused by something else, you might want to check the ''sh memory'' or ''sh proce memo'' to see which process is consuming a lot of memory.

You might want to focus on what exactly is causing the consumption of memory and then see if something can be done about it.

Federico.

Re: we have configured many access-list at router and memory use

Hi federico,

We have changed the 2801 router with more DRAM memory: 256 MByte and now the the comman;: sh memory free gives:

processor     total: 172,927,360     used: 24,265,916     free: 148,661,444

only 14% is used. With the other router the percentage used was: 85%.

But we have reviewed the configuration of the router and regard of : IP POLICE BASED ROUTING using route-map and set ip next-hope and we can not see any packets matching yet.

We are attaching a file with the real configuration and the results when we use: show access-list xxxxx.

Maybe the problem could be the IOS or other command that is affecting the use of IP POLICE BASED ROUTING.

Please review the attached file and send us your point of view.

Attentively.

Re: we have configured many access-list at router and memory use

Roger,

I don't think the ACL is consuming much resources.

There's IP accounting enabled that might be causing this... to be sure why don't you check which process is affecting the performace with the commands that I gave you.

Federico.

New Member

Re: we have configured many access-list at router and memory use

Why don’t you try with what Federico suggested,

Try with the show mem and with show proc mem so al and post the result.

Maybe there is something wrong in the allocation (yesterday I had to use the memory-size iomem command to fix a problem just like yours in a 2800)

I’m curious, I don’t understand iwhy you built the ACL the way you did it.Like,

deny   ip 10.144.0.0 0.0.255.255 10.1.0.0 0.0.255.255

deny   ip 10.1.0.0 0.0.255.255 10.144.0.0 0.0.255.255

First you denied from 10.144 to 10.1 and then from 10.1 to 10.144. Are you applying the same ACL both ways (in and out of the interface)?

Regards, Gonzalo

Re: we have configured many access-list at router and memory use

Hello,

I am sorry for the delay.

We have changed the router at the customer and the memory consume is very low, only: 24%.

The new router has morr DRAM MEMORY.

However we are attaching the output of command: show memory and show process memory, so you can help us analizing which process are consuming more memory.

About the access-list I think is bad configured.

It only have to be configured like this:

deny   ip 10.144.0.0 0.0.255.255 10.1.0.0 0.0.255.255

Can you tell us in what situations or cases it must be configured as follow:

deny   ip 10.144.0.0 0.0.255.255 10.1.0.0 0.0.255.255

deny   ip 10.1.0.0 0.0.255.255 10.144.0.0 0.0.255.255

Thanking you in advance.

New Member

Re: we have configured many access-list at router and memory use

I dont see the problem with the memory, so I guess this is the new router.


Here is a link to do a basic troubleshooting of the memory.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6f3a.shtml


About the ACL,

You are suppose to apply the ACL on one way, so the packets are going to have one source subnet (10.144.0.0 0.0.255.255, outside) and a destination (10.1.0.0 0.0.255.255, inside).  So, why put it the other way (10.1.0.0 0.0.255.255 to 10.144.0.0 0.0.255.255) line if you are not going to have a match (there is no way a packet would have a source of 10.1.0.0 0.0.255.255 coming from outside) .

The only reason I can think is if you want to use the same ACL both ways (in and out) of the interface. Or there is something else I´m not seeing.

Gonzalo



468
Views
0
Helpful
6
Replies
This widget could not be displayed.