Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TCAM ACL processing and L4ops

I have been going through the document on ACL's on Cisco 6500 Catalyst Switches and have a few questions on the TCAM ACL processing. I've been referring the below mentioned document.

https://supportforums.cisco.com/post!input.jspa?container=2003&containerType=14

I have a question in the section "Logical Operation Units and Layer 4 Operations".

The document states as below.

"There is a limit of nine L4Ops for a given ACL in Supervisor 1a with PFC systems. For Supervisor Engine 2 with PFC2 and Supervisor 720 with PFC3 systems, there is a limit of ten L4Ops for a given ACL. This is because there are a limited number of LOU pointers available per ACL. If more than nine/ten L4Ops are configured, subsequent L4Ops must be expanded, which can greatly increase the TCAM usage in the PFC/PFC2.

In simple terms, when an L4Op is expanded, the system installs multiple VMRs in the TCAM that are equivalent to a single VMR that uses a LOU pointer. The system attempts to make the least possible impact when expanding L4Ops (that is, it will try to expand ACEs that require the least number of expanded TCAM entries). In the worst case, an expanded ACE can consume a large number of TCAM pattern and masks."

Does this mean that if I add an ACL statement "permit tcp host 10.10.10.10 host 20.20.20.20 range 1024 1030" but the ACL has already utilized the LOU limit for this ACL, this new line will be expanded and then compiled into the ACL as 7 different VMR's for each of the 7 ports in the range so that all ports are matched using 7 VMR's and no L4op's are needed 

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1024

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1025

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1026

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1027

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1028

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1029

permit tcp host 10.10.10.10 host 20.20.20.20 eq 1030

Please correct me if I am wrong and do let me know the exact meaning please

Thanks in advance !!!

Regards

Umesh Shetty


144
Views
0
Helpful
0
Replies