[c-nsp] Performance of Catalyst6509 using ACL
Tim Stevenson
tstevens at cisco.com
Fri Aug 13 13:15:38 EDT 2004
Ah, didn't see you had both sup1 & sup2.
With sup1, do be careful with your ACLs. There is no ICMP
unreachable/redirect rate-limiting, so you should turn those off on any
interface w/an ACL configured.
Also, traffic matching a deny in an output ACL will always be dropped in
software, so deny on ingress as much as possible.
As w/sup2, avoid the log keyword.
Tim
At 08:37 AM 8/13/2004, Tim Stevenson announced:
>On sup2, you can pretty much configure any input/output ACL using
>standard/extended IP access lists & still get h/w processing. Avoid use of
>the "log" keyword, as that will force all packets matching the ACE to hit
>the MSFC CPU.
>
>What sort of ACL exactly do you intend to deploy?
>
>Tim
>
>At 01:59 AM 8/13/2004, cisco-nsp-request at puck.nether.net announced:
>>Message: 8
>>Date: Fri, 13 Aug 2004 15:40:15 +0800
>>From: "Joe Shen" <jshen at christmas.9966.org>
>>Subject: RE: [c-nsp] Performance of Catalyst6509 using ACL
>>To: <cisco-nsp at puck.nether.net>
>>Message-ID: <000401c48108$c68e6a00$6f02a8c0 at topgun>
>>Content-Type: text/plain; charset="US-ASCII"
>>
>>Hi,
>>
>>Thanks.
>>
>>There are two 6509 installed, their configuration infomation :
>
>
>
>Tim Stevenson, tstevens at cisco.com
>Routing & Switching CCIE #5561
>Technical Marketing Engineer, Catalyst 6500
>Cisco Systems, http://www.cisco.com
>IP Phone: 408-526-6759
>********************************************************
>The contents of this message may be *Cisco Confidential*
>and are intended for the specified recipients only.
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list