[c-nsp] When are ACLs inserted to TCAM

[Lincoln Dale]

mack wrote:
> It is best practice to not make changes to an active ACL.
> Obviously making changes to a live ACL is at your own risk.
>
> When are extended ACLs actually inserted into TCAM?
> Under SXF versions of IOS it seems that the ACL is
> not applied until the exit statement is executed.
> This would make sense as the ODM is a processor intensive task
> and executing it for every statement might not be the best behavior.
>
> However the documentation is not at all clear on this.
> And it seems that SXH1 may behave differently.
>
> Does anyone have a definitive answer?
>   
to accurately answer, one would need to know exactly what product you're 
talking about.  there are very different answers if you're talking about 
c6500 compared to CRS, GSR, N7K, c4k etc.

but given i know that you're talking about c6k because of reference to 
SXF/SXH1 ...

the behavior depends on whether you're using named ACL or numbered 
(standard/extended) ACL.
for NAMED ACL, when you exit the acl submode after making changes, the 
merging (ODM or whatever is configured) will start to take place.
for NUMBERED ACL, it may be triggered as many as 'n' times for 'n' changes.

obviously the recommendation would ba NAMED ACL every time.


cheers,

lincoln.