>And here is the problem. As long as there is no entry for that host in mls
>cache packets are dropped in software and it causes a very high
>utilization on the CPU. Whenever the appropriate mls entry exists packets
>are dropped in hardware.
>
>1. Is there any way to enforce outbound ACL to be processed in hardware?
Only by making the MLS shortcut alive, may be pinging every host and
trimming MLS parameters.
>2. Does this behavior differ when using Sup2/MSFC2/PFC2?
Yes. Sup2 forwards and ACLs the packet as soon as it completes the CEF
adjacency, and enforces rate-limits to protect the MSFC2 CPU. (MSFC2 also
survives a little longer even with Sup1, but it still could be DoS'ed)
>3. Is it possible to do per-port outbound ACL in hardware on Catalyst
>2948G-L3?
Dunno.
>4. Should I turn to Foundry BigIron or a similar Extreme product?
Foundry boxes/linecards prior to the JetCore ASIC would pass all traffic to
CPU; Extreme switches can handle only very small ACLs and total number of
ACL clauses. Ask this question to your Cisco account manager, it may help
in getting a Sup2 that would do the job very well.
>I know that inbound ACL are hardware processed and I am also aware about
I wouldn't make this assumption; I haven't tried newer IOS versions with
Sup1, but with some old ones inbound ACL were also affected by having or
not the MLS shortcut in place.
>VACLs. However, translating outbound ACL into inbound ones kind of
>complicates thing up, especially when there are lots of vlans configured.
>Vlan ACL are somewhat cumbersome to configure and do more than required,
>i.e. limiting traffic between hosts on the same vlan.
VACL is more useful to mirror/capture traffic and limiting intra-vlan
traffic when you want to, but this may be the only solution not requiring
inve$tment, a good thing these days.
Rubens Kuhl Jr.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:58 EDT