[c-nsp] NPE G1, CEF and ACLs and high CPU
Rodney Dunn
rodunn at cisco.com
Tue Sep 9 10:34:44 EDT 2008
On Tue, Sep 09, 2008 at 03:26:18PM +0100, Mateusz B?aszczyk wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodney
>
> 2008/9/9 Rodney Dunn :
> > Don't use TACL's on the software platforms. It has been removed
> > from the CLI for the ISR's (it shouldn't have slipped in to begin with).
> >
>
> edge2#sh ver | in IOS
> Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(28)SB6,
> RELEASE SOFTWARE (fc1)
>
> edge2(config)#access-list compiled ?
> reuse Reuse tables when compiling (for reduced memory requirements)
>
>
> So, it is NOT recommended to use this feature on that router?
They didn't remove it on the 72xx, 7301, and 75xx from what I remember
because they had the distributed or CPU/memory to handle them and there
were so many customers already using them.
If your ACL's are static you will probably be ok.
But if it were my network I'd be on code that used Trie based ACL's
and get away from TACL's given the problems I worked on with them.
When they work they work well but when there are problems with
a lot of updates and size they get pretty messy.
If you want speed on them with long ACL's you really should look
at something that can do them in hardware.
s>
>
> > There are very difficult challenges to handle for things such
> > as updating the ACL on configuration change, memory usage, etc.
> >
>
> and if we made a policy that each ACL update would consist of:
> 1) remove access-group from the port
> 2) remove acl
> 3) create new acl
> 4) put access-group on the port
>
> Would the above apply as well?
Removing it form an interface no. Removing the ACL not as much.
It's more about modifying the ACL.
>
> > Most HW forwarding platforms merge the ACL's in some fashion to
> > reduce the footprint size.
>
> So when using TACL is recommended? On software-based it is not, on
> hardware-based we got other mechanisms...
> I am confused.
In genearl it's not advised to use them at all anymore.
>
> > In IOS there is a Trie based ACL now over the linear format.
> > It's on by default and you can't change it.
>
>
> now - meaning 12.4T ?
Yes...12.4M got it too.
>
> - --
> - -mat
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIxoeIIvBv0k5esR4RAuhvAJ0W5Mcn38E7kM20gz2AaWOMKs4htwCgg/ep
> RaIQcLoM3P2Mc8NhQuL1vG8=
> =Y+MU
> -----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list