[nsp] Cat6500 reflexive ACL issues.
Antoine Versini
vox@t-online.fr
Fri, 29 Nov 2002 10:33:53 +0100 (MET)
On 28 Nov 2002, Lars Erik Gullerud wrote:
> Only in percentages though, not actual counts. But you can always
> calculate back from there, knowing that there are 32 LOUs in total.
Thanks, this was indeed the information I was looking for.
After a carefull reading of some CCO documents
(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/secure.htm#xtocid5
and
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/65acl_wp.htm)
I saw that even if there are 32 LOU's available, only 10 of them are
allocated per ACL. The last white paper suggests that more than 10 LOU's
could be allocated : «* 10 per ACL (further L4Ops result in LOU
expansion)». This seems to be the actual behaviour of the switch, as one
of the ACL was matching «ranges» of UDP and TCP ports, resulting in the
use of 12 LOU and still being hardware managed as shown by a «show fm
features».
What is strange to me is that adding another ACL with a theorical usage of
0 LOU (only matching TCP port with «eq») resulted in immediate LOU
deprecation even not applied (each Cat6500 in the network only supports a
few ACL, the new one was supposed to be used by a PBR route-map).
Side note: it seems that Cisco always had problem with hardware handling
of ACL's - I remember that SALSA and PSA thingies on engine 1 and engine 2
linecards, very weird).
Antoine.
--
Antoine Versini
IP Networks Project Manager / T-Online France - Club-Internet