• Advertisement

CPU impact with ACLs

This is for more general topics about networking and vendors.

CPU impact with ACLs

Postby Guest » Sun Mar 09, 2008 4:23 pm

Hi all,

 

I have a requirement to apply an ACL on around 100 interfaces to block sertain ports UDP&TCP due to government regulation requirements. Ive a 7609 router with SUP720-3BXL superwisor engine (act as a MPLS PE in our netrowk) with average CPU of 40%.

 

1. Will there be any huge CPU incerase by allpying this single ALC on around 100 interfaces? (Any practical experience with any one of you all)

2. Will ACLs process in control plane; though I apply it in individual interfaces/different line cards?

 

Can any one help me out to understand this.

 

Thanks,

 

Chaminda

Guest
 

Advertisement

Re:CPU impact with ACLs

Postby Guest » Sun Mar 09, 2008 4:38 pm

Hello Chaminda,

 

in  C7600 unless using the log option packets are processed by CEF not process switched

 

We have ACLs on PE nodes for client Vlans in order of 20-30 clients vlans

 

Hope to help

Giuseppe

Guest
 

Re:CPU impact with ACLs

Postby Guest » Sun Mar 09, 2008 5:56 pm

Hellow Giuseppe,

 

Thanks for you r update and sharing your experienc.

 

Thanks ChamindaW

Guest
 

Re:CPU impact with ACLs

Postby Guest » Sun Mar 09, 2008 6:18 pm

This can be a  very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document:

 

Understanding ACL on Catalyst 6500 Series Switches

http://tools.cisco.com/squish/50095

 

If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.

Guest
 

Re:CPU impact with ACLs

Postby Guest » Sun Mar 09, 2008 6:20 pm

Hellow George,

 

Thanks for your valuable update.

 

Here is my TCAM count.

 

COL001-PE4#sh tcam counts

                                Used        Free        Percent Used       Reserved

                                ------                        - ----          --- --------------      --- --------

Labels:(in)          13            4083                    0

Labels:(eg)           3            4093                      0

 

ACL_TCAM

--------

  Masks:                31            4065                        0                            72

Entries:                 193       32575                       0                            576

 

QOS_TCAM

--------

  Masks:                10            4086                      0                             18

Entries:                 52           32716                     0                             144

 

    LOU:                    0                  128                   0

  ANDOR:               0                  16                0

  ORAND:               0                  16                0

    ADJ:                     3              2045                 0

 

Believe I can use free ACL_TCAM space for my requirement provided it doesn exceed the maximum limit. Also one more clarification; in your post you have mentioned " the ACL is programmed into the TCAM". What does this really mean? Do we need to perform any thing manually to cater this requirement?

 

THanks

 

CHamindaW

Guest
 



  • Advertisement


Similar topics

What is the impact of disabling xlate in FWSM
Forum: Cisco Security
Author: Anonymous
Replies: 8

ASA Understanding on ACLs
Forum: Cisco Security
Author: Anonymous
Replies: 6

Named ACLs vs Numbered ACLs
Forum: Anything Networking
Author: Anonymous
Replies: 0

ACLs and ACEs
Forum: Cisco Security
Author: Anonymous
Replies: 6

FWSM Interface Directions and ACLs
Forum: Cisco Security
Author: Anonymous
Replies: 0


Return to Anything Networking

Who is online

Users browsing this forum: No registered users and 4 guests

cron