[c-nsp] Performance of Catalyst6509 using ACL

Tim Stevenson tstevens at cisco.com
Fri Aug 13 13:15:38 EDT 2004


Ah, didn't see you had both sup1 & sup2.

With sup1, do be careful with your ACLs. There is no ICMP 
unreachable/redirect rate-limiting, so you should turn those off on any 
interface w/an ACL configured.

Also, traffic matching a deny in an output ACL will always be dropped in 
software, so deny on ingress as much as possible.

As w/sup2, avoid the log keyword.

Tim

At 08:37 AM 8/13/2004, Tim Stevenson announced:
>On sup2, you can pretty much configure any input/output ACL using 
>standard/extended IP access lists & still get h/w processing. Avoid use of 
>the "log" keyword, as that will force all packets matching the ACE to hit 
>the MSFC CPU.
>
>What sort of ACL exactly do you intend to deploy?
>
>Tim
>
>At 01:59 AM 8/13/2004, cisco-nsp-request at puck.nether.net announced:
>>Message: 8
>>Date: Fri, 13 Aug 2004 15:40:15 +0800
>>From: "Joe Shen" <jshen at christmas.9966.org>
>>Subject: RE: [c-nsp] Performance of Catalyst6509 using ACL
>>To: <cisco-nsp at puck.nether.net>
>>Message-ID: <000401c48108$c68e6a00$6f02a8c0 at topgun>
>>Content-Type: text/plain;     charset="US-ASCII"
>>
>>Hi,
>>
>>Thanks.
>>
>>There are two 6509 installed, their  configuration infomation :
>
>
>
>Tim Stevenson, tstevens at cisco.com
>Routing & Switching CCIE #5561
>Technical Marketing Engineer, Catalyst 6500
>Cisco Systems, http://www.cisco.com
>IP Phone: 408-526-6759
>********************************************************
>The contents of this message may be *Cisco Confidential*
>and are intended for the specified recipients only.



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.



More information about the cisco-nsp mailing list