I have a requirement to apply an ACL on around 100 interfaces to block sertain ports (UDP&TCP) due to government regulation requirements. I've a 7609 router with SUP720-3BXL superwisor engine (act as a MPLS PE in our netrowk) with average CPU of 40%.
1. Will there be any huge CPU incerase by allpying this single ALC on around 100 interfaces? (Any practical experience with any one of you all)
2. Will ACLs process in control plane; though I apply it in individual interfaces/different line cards?
Can any one help me out to understand this.
Programming the TCAM happens automatically through the software when the ACL is configured. If you use certain features or exceed the TCAM space then the ACL will fail to be programmed and then the traffic will be punted to the control plane.
This can be a very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:
Understanding ACL on Catalyst 6500 Series Switches
If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.