[c-nsp] When are ACLs inserted to TCAM

mack mack at exchange.alphared.com
Thu Apr 17 22:39:27 EDT 2008


> -----Original Message-----
> From: Lincoln Dale [mailto:ltd at cisco.com]
> Sent: Thursday, April 17, 2008 9:34 PM
> To: mack
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] When are ACLs inserted to TCAM
>
> mack wrote:
> > It is best practice to not make changes to an active ACL.
> > Obviously making changes to a live ACL is at your own risk.
> >
> > When are extended ACLs actually inserted into TCAM?
> > Under SXF versions of IOS it seems that the ACL is
> > not applied until the exit statement is executed.
> > This would make sense as the ODM is a processor intensive task
> > and executing it for every statement might not be the best behavior.
> >
> > However the documentation is not at all clear on this.
> > And it seems that SXH1 may behave differently.
> >
> > Does anyone have a definitive answer?
> >
> to accurately answer, one would need to know exactly what product
> you're
> talking about.  there are very different answers if you're talking
> about
> c6500 compared to CRS, GSR, N7K, c4k etc.
>
> but given i know that you're talking about c6k because of reference to
> SXF/SXH1 ...

Yes, this is a 6500 series router.

>
> the behavior depends on whether you're using named ACL or numbered
> (standard/extended) ACL.
> for NAMED ACL, when you exit the acl submode after making changes, the
> merging (ODM or whatever is configured) will start to take place.
> for NUMBERED ACL, it may be triggered as many as 'n' times for 'n'
> changes.

The incident in question was using a named ACL on SXH1.

>
> obviously the recommendation would ba NAMED ACL every time.
>
>
> cheers,
>
> lincoln.


--
LR Mack McBride
Network Administrator
Alpha Red, Inc.



More information about the cisco-nsp mailing list