07-16-2013 09:38 AM - edited 03-07-2019 02:25 PM
Folks, what is exactly refer to Access Control Entity that is compiled by Feature Manager into the TCAM?
How it differs from Access List?
Solved! Go to Solution.
07-17-2013 03:14 PM
Hi Sugata,
Check out the following documents and search for the ACE acronym until you find it described in the expanded form:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a0080094bc6.shtml
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
Best regards,
Peter
07-18-2013 01:18 AM
While the term used by David Hucaby was entity instead of entry and I'm not one to judge if that was right or wrong, the meaning of how it was used is exactly the same.
"Access lists are made up of one or more access control entities". As Peter explained, every line in an access list is treated as a single entry/entity. Merge algorithms are run to optimize how these are programmed in your TCAM.
The second link mentioned by Peter is a wonderful document on different merge algorithms on the 6500. It gives a lot of details on how this process is carried out which also makes it a slightly difficult read at first.
Regards,
Aninda
07-16-2013 05:39 PM
Sugata,
Here is the explanation for the same:
. This is because the ACEs might need to be optimized or rewritten to achieve certain TCAM algorithm requirements.
Figure 3-5 How an Access List Is Merged into TCAM
The example access list 100 (extended IP) is configured and merged into TCAM entries. First, the mask values must be identified in the access list. When an address value and a corresponding address mask are specified in an ACE, those mask bits must be set for matching. All other mask bits can remain in the "don't care" state. The access list contains only three unique masks: one that matches all 32 bits of the source IP address (found with an address mask of 255.255.255.255 or the keyword host), one that matches 16 bits of the destination address (found with an address mask of 0.0.255.255), and one that matches only 24 bits of the destination address (found with an address mask of 0.0.0.255). The keyword any in the ACEs means match anything or "don't care."
The unique masks are placed into the TCAM. Then, for each mask, all possible value patterns are identified. For example, a 32-bit source IP mask (Mask 1) can be found only in ACEs with a source IP address of 192.168.199.14 and a destination of 10.41.0.0. (The rest of Mask 1 is the destination address mask 0.0.255.255.) Those address values are placed into the first value pattern slot associated with Mask 1. Mask 2 has three value patterns: destination addresses 192.168.100.0, 192.168.5.0, and 192.168.199.0. Each of these is placed in the three pattern positions of Mask 2. This process continues until all ACEs have been merged.
When a mask's eighth pattern position has been filled, the next pattern with the same mask must be placed under a new mask. A bit of a balancing act occurs to try and fit all ACEs into the available mask and pattern entries without an overflow.
Ref: http://www.ciscopress.com/articles/article.asp?p=101629&seqNum=4
HTH
Regards
Inayath
*Plz rate all usefull posts.
07-17-2013 02:23 PM
Hi Inayath,
I went through the document that you read, but I couldn't understand the difference between ACE and Access Control List.
07-17-2013 02:24 PM
And still it is not clear to me what is the difference!
07-17-2013 02:47 PM
Sugata,
The ACE is a shorthand for Access Control Entry, not Entity. Simply put, an ACE is exactly one line, or entry, in an ACL. An ACL contains one or more ACEs. For example, the following ACL contains three ACEs:
ip access-list extended Example
permit ip host 192.0.2.1 any
deny ip 192.0.2.0 0.0.0.255 any
permit ip any any
ACLs are compiled into TCAM ACE by ACE, meaning that line by line, the ACL is analyzed and each single line, or entry, is programmed into TCAM. The goal of merging operations is to optimize the space occupied by several ACEs in the TCAM by reusing their common shared parts.
Would this help?
Best regards,
Peter
07-17-2013 03:01 PM
Hi Peter, your explanation of ACE (Access control entry) does really make sense. But unfortunately I was reading a document where it is narrated differently. This document is written by David Hucaby, CCIE No. 4594 . I don't know what to say. Can you please refer to a document where it is clearly mention that ACE means Access Control Entry and it few ACE creates a Access Control List?
07-17-2013 03:14 PM
Hi Sugata,
Check out the following documents and search for the ACE acronym until you find it described in the expanded form:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a0080094bc6.shtml
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
Best regards,
Peter
07-21-2013 04:38 AM
Thanks a lot Peter. It is clear now.
07-18-2013 01:18 AM
While the term used by David Hucaby was entity instead of entry and I'm not one to judge if that was right or wrong, the meaning of how it was used is exactly the same.
"Access lists are made up of one or more access control entities". As Peter explained, every line in an access list is treated as a single entry/entity. Merge algorithms are run to optimize how these are programmed in your TCAM.
The second link mentioned by Peter is a wonderful document on different merge algorithms on the 6500. It gives a lot of details on how this process is carried out which also makes it a slightly difficult read at first.
Regards,
Aninda
07-21-2013 04:37 AM
Hi Aninda,
yes correct. This discussion helped me to clear the concept here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide