[c-nsp] ODM Merge
Tim Stevenson
tstevens at cisco.com
Tue Feb 7 10:33:39 EST 2006
At 06:36 AM 2/7/2006, Alban Dani submitted:
>Hi there,
>
>I was recently advised by our Cisco support eng. to move to ODM algorithm.
>
>Besides the fact that I have to run :
>
>mls aclmerge algorithm bdd
You mean mls aclmerge algo odm. BDD is the default on systems that support it.
>mls aclmerge odm optimizations
This is optional. In some cases, it can result in higher CPU during
the ACL merge. YMMV.
>what else can be involved?
You must bounce all interfaces that have existing ACLs applied, or
remove & reapply the ACLs, or reboot. IOW, you need to trigger a new
merge of the existing ACLs, and any of the above will do it.
>Is this algorithm conversion a lengthy and/or disruptive proccess?
It depends on the size of the ACLs & the method you use above to
retrigger the merge. It is potentially disruptive in terms of CPU &
short period of packet loss ( < 1sec typcially).
All that said, ODM is *massively* superior to BDD & I wholeheartedly
second the recommendation of the TAC/SE who made it. It will use less
CPU, memory, and time overall than BDD when doing the merge (though
as I said, you may want to compare with & without the optimizations
enabled - which, BTW, are performed for both ODM & BDD merges despite
the name) and will also use far less TCAM in most cases. FWIW,
sup720/sup32 support ONLY ODM, BDD support was dropped in 12.2SX.
Take a look at this paper for some more details:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/65acl_wp.pdf
Tim
>Thanks,
>
>Alban*
>*
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list