[nsp] SUP1-MSFC performance?
Rubens Kuhl Jr.
rubens at email.com
Wed Feb 11 18:15:36 EST 2004
> >As Sup1A already used TCAM for ACLs, it doesn't matter what is the size
of
> >it provided it fits on TCAM (16K entries).
>
> It does matter if it is an output ACL - deny traffic in output ACL is
always dropped in software on sup1A.
Not according to my experience(a not pleasant one, you may talk with Ian Cox
about the details), but that could be IOS version dependent. Be aware that
if the destination IP doesn't have some other allowed traffic, it won't
generate a IP entry on the NF CAM to hardware route it. That's one of the
weaknesses of the Sup1A architeture.
So this will be fine (assuming that there is traffic to 1.2.3.4 port 80 to
keep the NF entry)
access-list 100 permit tcp any 1.2.3.4 eq 80
access-list 100 deny ip any 1.2.3.4
But this would kill the MSFC because a shortcut will never be created:
access-list 100 deny ip any 1.2.3.4
This will also be bad because logging has to be done by the MSFC:
access-list 100 permit tcp any 1.2.3.4 eq 80
access-list 100 deny ip any 1.2.3.4 log
Rubens
More information about the cisco-nsp
mailing list