[c-nsp] PFC3/3B/3C ACL support
Kevin Graham
kgraham at industrial-marshmallow.com
Wed May 13 15:37:28 EDT 2009
The "Understanding ACL on Catalyst 6500 Switches"[1] white paper indicates that:
All TCP session traffic, except for the TCP
three-way handshake (SYN,
SYN/ACK, ACK) and session close (FIN/RST), is
handled in hardware
...which makes sense for reflexive ACL's, but is that also true for extended ACL's
matching TCP flags? The need to punt on these flows for reflexive's would suggest
that they can be distinguished in hardware and based on 'sh tcam int ...' it would
seem that there are masks allocated for TCP flags[2] that could presumably be
leveraged for 'simple' filtering.
With the convenience of object-group/port-group in SXI, I'm inclined to spend some
time improving ACL usage on 6500's and was hoping to make them a little more
correct at the same time.
[1] http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
[2] http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s6.html#wp1013139
More information about the cisco-nsp
mailing list