> That's true. I'm doing extended ACLs on 10Base-T/100Base-TX & 100Base-FX
> ports in a 6506+PFC+MSFC with apparently good results. The ASIC
> implementation on the PFC as managed by the MSFC seems to do the
> right thing.
Still testing but seems to work fine.
> Note that you cannot do ACL logging without disabling the ASIC handling.
> That is, setting logging on an ACL entry causes (at least) the traffic
> matching that ACL entry to be handled by the MSFC rather than the
> PFC. Also,
> the tallies in the ACLs don't seem accurate (too low), but I
The counters are incremented when a packet goes MSFC-switched, which only
the first packet of a flow does.
> haven't verified
> that. The lack of logging is a bummer because you don't get any feedback
> about what is being discarded, but it does seem to discard the intended
> stuff. You can fly faster with blinders on. ;^)
It can fly faster than that if you don't run with full-flows but with
destination-only flows; full-flows generate good NetFlow statistics, but may
lead to inadequate performance with high volumes. Destination-only flows on
6500/PFC/MSFC can run full extended ACLs, and it's quite difficult to fill
up the flows table this way.
Rubens Kuhl Jr.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:17 EDT