[c-nsp] Sup2T interface ACL limitations
"Rolf Hanßen"
nsp at rhanssen.de
Mon Dec 9 12:38:41 EST 2013
Hello,
I am thinking about dropping some (mainly ddos) traffic on the outside
network borders with ACLs.
The entries would include the basic stuff like src/dst IP, protocol +
ports, maybe packet length.
I would like to know about the limitations or potential conflicts with
other functions.
I read about "up to 256K entries" for a Sup2T (XL).
Does that mean I can use a huge list with 200k entries and apply it ?
Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
those 256k ?
Where can I find the limitations, for example:
How big can a single ACL be and how many ACLs can be combined in a policy ?
Does it make a difference if I assign it via "service-policy" or "ip
access-group" ?
In case "no ip unreachables" is set, will there be any other inpact on the
RP ?
Will certain sizes cause CPU trouble during installation ?
Can I change ACLs / policy map while they are in use or will this need a
reload ?
Will those ACLs conflict with CoPP or any other functions ?
I think of some "it matches in the ACL, so CoPP is ignored" behaviour.
I found that command here for usage check, is there anything other to
verify that could hit 100% ?
Router#sh platform hardware capacity acl
Classification Mgr Tcam Resources
Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext
5 1% 2% 0% 1% 2% 0% 2% 0% 0% 0%
Is there maybe any caveat with certain hardware ?
My systems are Sup2T XL in CFC-only mode, 67xx linecards.
kind regards
Rolf Hanßen
More information about the cisco-nsp
mailing list