[c-nsp] When are ACLs inserted to TCAM

Fred Reimer freimer at ctiusa.com
Thu Apr 17 20:37:31 EDT 2008


I believe named ACL's are only pushed when you exit out of the named ACL
config.  Numbered ACL's are pushed after every entry, hence the
recommendation to used named ACL's.  Or at least that's what I heard
somewhere.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of mack
> Sent: Thursday, April 17, 2008 6:59 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] When are ACLs inserted to TCAM
> 
> It is best practice to not make changes to an active ACL.
> Obviously making changes to a live ACL is at your own risk.
> 
> When are extended ACLs actually inserted into TCAM?
> Under SXF versions of IOS it seems that the ACL is
> not applied until the exit statement is executed.
> This would make sense as the ODM is a processor intensive task
> and executing it for every statement might not be the best behavior.
> 
> However the documentation is not at all clear on this.
> And it seems that SXH1 may behave differently.
> 
> Does anyone have a definitive answer?
> 
> --
> LR Mack McBride
> Network Administrator
> Alpha Red, Inc.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080417/6da77770/attachment.bin 


More information about the cisco-nsp mailing list