[nsp] Compiled Access Lists 7500's

Dmitri Kalintsev dek at hades.uz
Thu Jan 9 08:21:57 EST 2003 

On Wed, Jan 08, 2003 at 09:16:47AM -0800, Siva Valliappan wrote:
> with the turbo ACL phase II code, we do incremental compiles.  so the
> entire list is not compiled when it is first created or when an ACL
> is changed.

Which one is "Phase II"? Is that the one since 12.0(19)S (or something
around that time), where you would compile a new copy while keeping old
compiled list or is it that plus the change we've requested that actually
looks at amount of memory available before trying to allocate memory for the
new copy of compiled ACLs and discards the old one if there's not enough
memory for the new compile? This was applicable to VIP2-40's, which didn't
have anough memory for 2 copies of our compiled ACLs.

By the way, even new and improved incremental compiles were giving us CPU
hogs if ACL was changed *after router was up for quite a while* (meaning it
had a chance to compile most of the ACLs due to hits on them). Admittedly,
CPU hogs were only visible on RSP2's, which we don't use in actual
production.

> the packet leak thru' the turbo ACL code sounds like a bad bug.  is
> a bug open on it?

Looks like it is - CSCdm70194. Curiously, bug's list of "Fixed In" verions
is empty. Hmm. :)

> On Tue, 7 Jan 2003, Manolo Hernandez wrote:
> 
> > It was a 10 line ACL that when initially added to interface did not
> > catch an IP address that we knew was coming in on that interface. We
> > have VIP4-80s with 10-12% CPU so I don't think that was the problem.
> >
> > On Tue, 2003-01-07 at 16:52, Dmitri Kalintsev wrote:
> > > What do you mean by "take effect"? Every time you change a compiled ACL, all
> > > compiled ACLs are recompiled anew, and on 7500 it is done on per-VIP basis,
> > > so if you have slow VIPs it may take a while for them to do it for large
> > > number of ACL lines.
> > >
> > > On Tue, Jan 07, 2003 at 01:47:48PM -0500, Manolo Hernandez wrote:
> > > > Is it a known issue that when an Extended access-list that is compiled
> > > > is removed and modified for the changes to that ACL to take say 5
> > > > minutes to take effect? I had this strange pop on me today and wanted to
> > > > know if anyone else had this problem. BTW I am running 12.2.8T5 Service
> > > > Provider.
---end quoted text---

SY,
-- 
 CCNP, CCDP (R&S)                          Dmitri E. Kalintsev
 CDPlayer at irc               Network Architect @ connect.com.au
 dek @ connect.com.au    phone: +61 3 8687 5954 fax: 8414 3115
 http://-UNAVAIL-         UIN:7150410    cell: +61 414 821 382

More information about the cisco-nsp mailing list