Re: [nsp] Cat6K: hardware ACL

From: Rubens Kuhl Jr. (rkuhljr@uol.com.br)
Date: Thu Jan 03 2002 - 06:43:05 EST


>And here is the problem. As long as there is no entry for that host in mls
>cache packets are dropped in software and it causes a very high
>utilization on the CPU. Whenever the appropriate mls entry exists packets
>are dropped in hardware.
>
>1. Is there any way to enforce outbound ACL to be processed in hardware?

Only by making the MLS shortcut alive, may be pinging every host and
trimming MLS parameters.

>2. Does this behavior differ when using Sup2/MSFC2/PFC2?

Yes. Sup2 forwards and ACLs the packet as soon as it completes the CEF
adjacency, and enforces rate-limits to protect the MSFC2 CPU. (MSFC2 also
survives a little longer even with Sup1, but it still could be DoS'ed)

>3. Is it possible to do per-port outbound ACL in hardware on Catalyst
>2948G-L3?

Dunno.

>4. Should I turn to Foundry BigIron or a similar Extreme product?

Foundry boxes/linecards prior to the JetCore ASIC would pass all traffic to
CPU; Extreme switches can handle only very small ACLs and total number of
ACL clauses. Ask this question to your Cisco account manager, it may help
in getting a Sup2 that would do the job very well.

>I know that inbound ACL are hardware processed and I am also aware about

I wouldn't make this assumption; I haven't tried newer IOS versions with
Sup1, but with some old ones inbound ACL were also affected by having or
not the MLS shortcut in place.

>VACLs. However, translating outbound ACL into inbound ones kind of
>complicates thing up, especially when there are lots of vlans configured.
>Vlan ACL are somewhat cumbersome to configure and do more than required,
>i.e. limiting traffic between hosts on the same vlan.

VACL is more useful to mirror/capture traffic and limiting intra-vlan
traffic when you want to, but this may be the only solution not requiring
inve$tment, a good thing these days.

Rubens Kuhl Jr.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:58 EDT