07-01-2010 01:49 AM - edited 03-01-2019 02:19 PM
Hi all,
I have a requirement to apply an ACL on around 100 interfaces to block sertain ports (UDP&TCP) due to government regulation requirements. I've a 7609 router with SUP720-3BXL superwisor engine (act as a MPLS PE in our netrowk) with average CPU of 40%.
1. Will there be any huge CPU incerase by allpying this single ALC on around 100 interfaces? (Any practical experience with any one of you all)
2. Will ACLs process in control plane; though I apply it in individual interfaces/different line cards?
Can any one help me out to understand this.
Thanks,
Chaminda
Solved! Go to Solution.
07-07-2010 03:49 PM
This can be a very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:
Understanding ACL on Catalyst 6500 Series Switches
http://tools.cisco.com/squish/50095
If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.
07-08-2010 05:07 AM
Programming the TCAM happens automatically through the software when the ACL is configured. If you use certain features or exceed the TCAM space then the ACL will fail to be programmed and then the traffic will be punted to the control plane.
07-03-2010 11:11 AM
Hello Chaminda,
in C7600 unless using the log option packets are processed by CEF not process switched
We have ACLs on PE nodes for client Vlans in order of 20-30 clients vlans
Hope to help
Giuseppe
07-07-2010 08:45 PM
Hellow Giuseppe,
Thanks for you r update and sharing your experienc.
Thanks ChamindaW
07-07-2010 03:49 PM
This can be a very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:
Understanding ACL on Catalyst 6500 Series Switches
http://tools.cisco.com/squish/50095
If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.
07-07-2010 09:35 PM
Hellow George,
Thanks for your valuable update.
Here is my TCAM count.
COL001-PE4#sh tcam counts
Used Free Percent Used Reserved
------ - ---- --- -------------- --- --------
Labels:(in) 13 4083 0
Labels:(eg) 3 4093 0
ACL_TCAM
--------
Masks: 31 4065 0 72
Entries: 193 32575 0 576
QOS_TCAM
--------
Masks: 10 4086 0 18
Entries: 52 32716 0 144
LOU: 0 128 0
ANDOR: 0 16 0
ORAND: 0 16 0
ADJ: 3 2045 0
Believe I can use free ACL_TCAM space for my requirement provided it doesn't exceed the maximum limit. Also one more clarification; in your post you have mentioned " the ACL is programmed into the TCAM". What does this really mean? Do we need to perform any thing manually to cater this requirement?
THanks
CHamindaW
07-08-2010 05:07 AM
Programming the TCAM happens automatically through the software when the ACL is configured. If you use certain features or exceed the TCAM space then the ACL will fail to be programmed and then the traffic will be punted to the control plane.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: