[c-nsp] NPE G1, CEF and ACLs and high CPU

Rodney Dunn rodunn at cisco.com
Tue Sep 9 09:48:34 EDT 2008 

Don't use TACL's on the software platforms. It has been removed
from the CLI for the ISR's (it shouldn't have slipped in to begin with).

There are very difficult challenges to handle for things such
as updating the ACL on configuration change, memory usage, etc.

Most HW forwarding platforms merge the ACL's in some fashion to
reduce the footprint size.

In IOS there is a Trie based ACL now over the linear format.
It's on by default and you can't change it.

Rodney

On Tue, Sep 09, 2008 at 04:35:55PM +1000, Matt Carter wrote:
> > Are you serious?
> >
> > Well, I unhappily and disappointedly stand corrected, then.  Indeed,
> > Cisco documentation appears to confirm what you and Bill are saying.
> >
> > There are a variety of known algorithms for traversing hashed
> > structures
> > while taking order of precedence into account.  I am, quite frankly,
> > astonished that they are not used, or that it takes some sort of ASIC
> > or
> > TCAM enhancement to make that happen.
> 
> Turbo (compiled) ACL's was previously mentioned in this thread - have you looked at those ??
> 
> The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include:
> 
> *For ACLs longer than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit.
> 
> *The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large ACLs) and more importantly, consistent, allowing better network stability and more accurate transit times.
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list