[nsp] Cat6K: hardware ACL

From: Elijah Kagan (elijah@netvision.net.il)
Date: Thu Jan 03 2002 - 04:48:24 EST


I have a Catalyst 6500 with Sup1/MSFC1/PFC1 running IOS 12.1(8b)EX3 in
native mode, i.e. both on the supervisor and MSFC.

I am trying to limit outbound traffic using IOS ACL on a vlan
interface, the configuration looks something like this:

    interface Vlan100
     ip access-group TEST out
     no ip unreachables
    !
    ip access-list extended TEST
     deny icmp any any
     permit ip any any

To test this configuration I am sending (read flooding) ICMP packets to
some host in vlan100.

And here is the problem. As long as there is no entry for that host in mls
cache packets are dropped in software and it causes a very high
utilization on the CPU. Whenever the appropriate mls entry exists packets
are dropped in hardware.

1. Is there any way to enforce outbound ACL to be processed in hardware?
2. Does this behavior differ when using Sup2/MSFC2/PFC2?
3. Is it possible to do per-port outbound ACL in hardware on Catalyst 2948G-L3?
4. Should I turn to Foundry BigIron or a similar Extreme product?

I know that inbound ACL are hardware processed and I am also aware about
VACLs. However, translating outbound ACL into inbound ones kind of
complicates thing up, especially when there are lots of vlans configured.
Vlan ACL are somewhat cumbersome to configure and do more than required,
i.e. limiting traffic between hosts on the same vlan.

-- elijah



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:27 EDT