[c-nsp] NPE G1, CEF and ACLs and high CPU

[Matt Carter]

> Are you serious?
>
> Well, I unhappily and disappointedly stand corrected, then.  Indeed,
> Cisco documentation appears to confirm what you and Bill are saying.
>
> There are a variety of known algorithms for traversing hashed
> structures
> while taking order of precedence into account.  I am, quite frankly,
> astonished that they are not used, or that it takes some sort of ASIC
> or
> TCAM enhancement to make that happen.

Turbo (compiled) ACL's was previously mentioned in this thread - have you looked at those ??

The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include:

*For ACLs longer than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit.

*The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large ACLs) and more importantly, consistent, allowing better network stability and more accurate transit times.