[nsp] Cat6500 reflexive ACL issues.

David J. Hughes bambi@Hughes.com.au
Thu, 28 Nov 2002 09:33:31 +1000


We have found that, with the limited TCAM resources provided by
the sup1, it is best to avoid the use of reflexive ACL's.  The
dynamic nature of the reflexive lists isn't a good fit when you
are short on TCAM buffers.

You may also find that the IOS version you are running has a
direct impact on your TCAM utilisation.  Below is the results
of some lab testing I did a few months ago using the config
from a production 6509 under different IOS images.

Image			Labels	Masks	Entries	LOU
12.1(12c)E1		80		1084	2572		16
12.1(11b)E3		80		1214	2572		16
12.1(8b)E9		84		1240	2587		16

I can only assume that there were significant changes made
to the optimiser in the ACL compiler in 12c.


Bambi
...


> ACL-3-TCAMFULL:Acl engine TCAM table is full
> 2002 Nov 26 09:31:26 EST -05:00 %ACL-3-RACLMAPCOMMITFAIL:Failed to map
> Router ACL to VLAN xxx
>
> ...
>
> Being that this switch has two MSFC1's, I'm guessing that the limit of 512
> reflexive ACL entries is what's causing the problems here.  What I don't
> understand is why the above two commands seem to contradict each other
> regarding the reflexive entries.