Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2431
Views
0
Helpful
5
Replies

CPU impact with ACLs

Go to solution
Chamindaw_2
Level 1
Level 1

‎07-01-2010 01:49 AM - edited ‎03-01-2019 02:19 PM

Hi all,

I have a requirement to apply an ACL on around 100 interfaces to block sertain ports (UDP&TCP) due to government regulation requirements. I've a 7609 router with SUP720-3BXL superwisor engine (act as a MPLS PE in our netrowk) with average CPU of 40%.

1. Will there be any huge CPU incerase by allpying this single ALC on around 100 interfaces? (Any practical experience with any one of you all)

2. Will ACLs process in control plane; though I apply it in individual interfaces/different line cards?

Can any one help me out to understand this.

Thanks,

Chaminda

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gephelps
Cisco Employee
Cisco Employee

‎07-07-2010 03:49 PM

This can be a  very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:

Understanding ACL on Catalyst 6500 Series Switches

http://tools.cisco.com/squish/50095

If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.

View solution in original post

0 Helpful

Go to solution
gephelps
Cisco Employee
Cisco Employee
In response to Chamindaw_2

‎07-08-2010 05:07 AM

Programming the TCAM happens automatically through the software when the ACL is configured. If you use certain features or exceed the TCAM space then the ACL will fail to be programmed and then the traffic will be punted to the control plane.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-03-2010 11:11 AM

Hello Chaminda,

in  C7600 unless using the log option packets are processed by CEF not process switched

We have ACLs on PE nodes for client Vlans in order of 20-30 clients vlans

Hope to help

Giuseppe

0 Helpful

Go to solution
Chamindaw_2
Level 1
Level 1
In response to Giuseppe Larosa

‎07-07-2010 08:45 PM

Hellow Giuseppe,

Thanks for you r update and sharing your experienc.

Thanks ChamindaW

0 Helpful

Go to solution
gephelps
Cisco Employee
Cisco Employee

‎07-07-2010 03:49 PM

This can be a  very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:

Understanding ACL on Catalyst 6500 Series Switches

http://tools.cisco.com/squish/50095

If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.

0 Helpful

Go to solution
Chamindaw_2
Level 1
Level 1
In response to gephelps

‎07-07-2010 09:35 PM

Hellow George,

Thanks for your valuable update.

Here is my TCAM count.

COL001-PE4#sh tcam counts

                                Used        Free        Percent Used       Reserved

                                ------                        - ----          --- --------------      --- --------

Labels:(in)          13            4083                    0

Labels:(eg)           3            4093                      0

ACL_TCAM

--------

  Masks:                31            4065                        0                            72

Entries:                 193       32575                       0                            576

QOS_TCAM

--------

  Masks:                10            4086                      0                             18

Entries:                 52           32716                     0                             144

    LOU:                    0                  128                   0

  ANDOR:               0                  16                0

  ORAND:               0                  16                0

    ADJ:                     3              2045                 0

Believe I can use free ACL_TCAM space for my requirement provided it doesn't exceed the maximum limit. Also one more clarification; in your post you have mentioned " the ACL is programmed into the TCAM". What does this really mean? Do we need to perform any thing manually to cater this requirement?

THanks

CHamindaW

0 Helpful

Go to solution
gephelps
Cisco Employee
Cisco Employee
In response to Chamindaw_2

‎07-08-2010 05:07 AM

Programming the TCAM happens automatically through the software when the ACL is configured. If you use certain features or exceed the TCAM space then the ACL will fail to be programmed and then the traffic will be punted to the control plane.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents