[c-nsp] PFC3/3B/3C ACL support

Kevin Graham kgraham at industrial-marshmallow.com
Thu May 14 12:19:41 EDT 2009




> 1. For reflexive ACLs, I believe (never used them on this platform) that the 
> opening & closing packets are punted to CPU, so that the "reverse" flow can be 
> installed into and removed from the netflow table.

Agreed and is entirely expected for reflexive entries. Documentation indicated
(presumably incorrectly) that filters on TCP flags would be punted irrespective
of whether ACE was 'simple' or reflexive.

> 2. For other ACLs, matching is in hardware, regardless of whether you're 
> matching TCP flags, first/subsequent fragments, etc. unless you've got another 
> modifier that requires a CPU punt (e.g. "log")

I think I was thrown off by not considering that even the most pathological
cases for simple matches would be an insignificant 2^6 L4Ops. 

I am still curious whether SXH actually supports the more flexible 'ACL TCP
Flags Filtering'[1] feature, or if it was just an unintentional pick-up from
the last sync against 12.2S. ('match-any' would seem to be doable at the
expense of LOU's though don't see this discussed).

[1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtaclflg.html


More information about the cisco-nsp mailing list