[[nsp] ACLs]
Florian Weimer
Weimer at CERT.Uni-Stuttgart.DE
Fri Feb 28 20:52:55 EST 2003
Brian Wallingford <brian at meganet.net> writes:
> :On the bigger routers, the internal representation of ACLs is quite
> :different from the list you present to the router. Some translation
> :process is involved, and at least some optimization is usually part of
> :it.
>
> I can't imagine this optimization would include reordering.
Well, it's even better, in some way. Access lists stored in TCAM are
order-independent, like routing tables, with the same "longest match
taken" rule. 8-)
It's a long way from the ACL to the TCAM contents, and we had a bit of
trouble with older IOS versions in this area. (Not incorrect ACLs,
but irreproducible crashes when the router compiled the ACL.)
--
Florian Weimer Weimer at CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
More information about the cisco-nsp
mailing list