Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2608
Views
0
Helpful
9
Replies

ACE in TCAM

Go to solution
sugatada9
Level 1
Level 1

‎07-16-2013 09:38 AM - edited ‎03-07-2019 02:25 PM

Folks, what is exactly refer to Access Control Entity that is compiled by Feature Manager into the TCAM?

How it differs from Access List?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to sugatada9

‎07-17-2013 03:14 PM

Hi Sugata,

Check out the following documents and search for the ACE acronym until you find it described in the expanded form:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a0080094bc6.shtml

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Aninda Chatterjee
Cisco Employee
Cisco Employee
In response to sugatada9

‎07-18-2013 01:18 AM

While the term used by David Hucaby was entity instead of entry and I'm not one to judge if that was right or wrong, the meaning of how it was used is exactly the same.

"Access lists are made up of one or more access control entities". As Peter explained, every line in an access list is treated as a single entry/entity. Merge algorithms are run to optimize how these are programmed in your TCAM.

The second link mentioned by Peter is a wonderful document on different merge algorithms on the 6500. It gives a lot of details on how this process is carried out which also makes it a slightly difficult read at first.

Regards,

Aninda

View solution in original post

0 Helpful
9 Replies 9

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎07-16-2013 05:39 PM

Sugata,

Here is the explanation for the same:

  • Feature Manager (FM)—After an access list has been created or configured, the Feature Manager software compiles, or merges, the ACEs into entries in the TCAM table. The TCAM can then be consulted at full frame forwarding speed.

. This is because the ACEs might need to be optimized or rewritten to achieve certain TCAM algorithm requirements.

Figure 5Figure 3-5 How an Access List Is Merged into TCAM

The example access list 100 (extended IP) is configured and merged into TCAM entries. First, the mask values must be identified in the access list. When an address value and a corresponding address mask are specified in an ACE, those mask bits must be set for matching. All other mask bits can remain in the "don't care" state. The access list contains only three unique masks: one that matches all 32 bits of the source IP address (found with an address mask of 255.255.255.255 or the keyword host), one that matches 16 bits of the destination address (found with an address mask of 0.0.255.255), and one that matches only 24 bits of the destination address (found with an address mask of 0.0.0.255). The keyword any in the ACEs means match anything or "don't care."

The unique masks are placed into the TCAM. Then, for each mask, all possible value patterns are identified. For example, a 32-bit source IP mask (Mask 1) can be found only in ACEs with a source IP address of 192.168.199.14 and a destination of 10.41.0.0. (The rest of Mask 1 is the destination address mask 0.0.255.255.) Those address values are placed into the first value pattern slot associated with Mask 1. Mask 2 has three value patterns: destination addresses 192.168.100.0, 192.168.5.0, and 192.168.199.0. Each of these is placed in the three pattern positions of Mask 2. This process continues until all ACEs have been merged.

When a mask's eighth pattern position has been filled, the next pattern with the same mask must be placed under a new mask. A bit of a balancing act occurs to try and fit all ACEs into the available mask and pattern entries without an overflow.

Ref: http://www.ciscopress.com/articles/article.asp?p=101629&seqNum=4

HTH

Regards

Inayath

*Plz rate all usefull posts.

0 Helpful

Go to solution
sugatada9
Level 1
Level 1
In response to InayathUlla Sharieff

‎07-17-2013 02:23 PM

Hi Inayath,

I went through the document that you read, but I couldn't understand the difference between ACE and Access Control List.

0 Helpful

Go to solution
sugatada9
Level 1
Level 1
In response to sugatada9

‎07-17-2013 02:24 PM

And still it is not clear to me what is the difference!

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to sugatada9

‎07-17-2013 02:47 PM

Sugata,

The ACE is a shorthand for Access Control Entry, not Entity. Simply put, an ACE is exactly one line, or entry, in an ACL. An ACL contains one or more ACEs. For example, the following ACL contains three ACEs:

ip access-list extended Example
 permit ip host 192.0.2.1 any
 deny ip 192.0.2.0 0.0.0.255 any
 permit ip any any

ACLs are compiled into TCAM ACE by ACE, meaning that line by line, the ACL is analyzed and each single line, or entry, is programmed into TCAM. The goal of merging operations is to optimize the space occupied by several ACEs in the TCAM by reusing their common shared parts.

Would this help?

Best regards,

Peter

0 Helpful

Go to solution
sugatada9
Level 1
Level 1
In response to Peter Paluch

‎07-17-2013 03:01 PM

Hi Peter, your explanation of ACE (Access control entry) does really make sense. But unfortunately I was reading a document where it is narrated differently.  This document is written by  David Hucaby, CCIE No. 4594  . I don't know what to say. Can you please refer to a document where it is clearly mention that ACE means Access Control Entry and it few ACE creates a Access Control List?

Preview file
45 KB
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to sugatada9

‎07-17-2013 03:14 PM

Hi Sugata,

Check out the following documents and search for the ACE acronym until you find it described in the expanded form:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a0080094bc6.shtml

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Best regards,

Peter

0 Helpful

Go to solution
sugatada9
Level 1
Level 1
In response to Peter Paluch

‎07-21-2013 04:38 AM

Thanks a lot Peter. It is clear now.

0 Helpful

Go to solution
Aninda Chatterjee
Cisco Employee
Cisco Employee
In response to sugatada9

‎07-18-2013 01:18 AM

While the term used by David Hucaby was entity instead of entry and I'm not one to judge if that was right or wrong, the meaning of how it was used is exactly the same.

"Access lists are made up of one or more access control entities". As Peter explained, every line in an access list is treated as a single entry/entity. Merge algorithms are run to optimize how these are programmed in your TCAM.

The second link mentioned by Peter is a wonderful document on different merge algorithms on the 6500. It gives a lot of details on how this process is carried out which also makes it a slightly difficult read at first.

Regards,

Aninda

0 Helpful

Go to solution
sugatada9
Level 1
Level 1
In response to Aninda Chatterjee

‎07-21-2013 04:37 AM

Hi Aninda,

yes correct. This discussion helped me to clear the concept here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card