RE: [nsp] Does access-list change switching path?

• Next message: Alban Dani: "[nsp] VPN help"
• Previous message: Birsen Ozturk: "[nsp] Does access-list change switching path?"
• Maybe in reply to: Birsen Ozturk: "[nsp] Does access-list change switching path?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

ACL's don't change the switching path. They do change what happens in
the switching path (as any feature does).

Some features don't work in some switching paths (certain forms of
encryption and CEF come to mind). ACL's on the whole don't predicate a
switching path.

Without seeing your config (i.e. inbound vs. outbound ACL's, CEF or
caching, etc.), and knowing generally what your traffic is like in
relationship to which interface you first picked for ACL's it is hard to
say why the CPU jumped for only the one interface. You may be hitting
the optimum interface for the ACL in question.

Another thing to remember is that TurboACL's radically change how the
router reacts as a result of ACL's. Length is of less importance then
before, and can drastically reduce your CPU load then without it (though
in some cases that can't be said).

You can confirm how you are switching packets (sort of) with the
following command:

7206-VXR>sho int stat
FastEthernet0/0
          Switching path Pkts In Chars In Pkts Out Chars Out
               Processor 632922 73144554 3086626 341043054
             Route cache 8851984 2075433294 5790169 1768482912
                   Total 9484906 2148577848 8876795 2109525966

Large numbers in Processor are bad. What this doesn't tell you is
whether "Route cache" means CEF, or Fast switching. You can confirm
this by doing a "sho ip int", and looking at what is enabled for each
interface.

Hope that helps.

David

-----Original Message-----
From: Birsen Ozturk [mailto:birsenozturk@turk.net]
Sent: Wednesday, July 03, 2002 7:35 AM
To: cisco-nsp@puck.nether.net
Subject: [nsp] Does access-list change switching path?

Hello
I wrote an extended access-list and applied it to an interface. This
increased the cpu utilization by 8%. Then I applied the same access-list
to every other active interface on the same router (which is 7200) but
the cpu didn't raise any further. Why it is so? (I was expecting the
router to crach)
 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When I apply an access-list to an interface does it change the switching
path?

Birsen Ozturk

• Next message: Alban Dani: "[nsp] VPN help"
• Previous message: Birsen Ozturk: "[nsp] Does access-list change switching path?"
• Maybe in reply to: Birsen Ozturk: "[nsp] Does access-list change switching path?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:49 EDT