[c-nsp] Sup2T interface ACL limitations

"Rolf Hanßen" nsp at rhanssen.de
Mon Dec 16 07:25:05 EST 2013 

Hi,

no hints or experiences ?
No other providers using ACLs on the network borders ?

kind regards
Rolf

> Hello,
>
> I am thinking about dropping some (mainly ddos) traffic on the outside
> network borders with ACLs.
> The entries would include the basic stuff like src/dst IP, protocol +
> ports, maybe packet length.
> I would like to know about the limitations or potential conflicts with
> other functions.
>
> I read about "up to 256K entries" for a Sup2T (XL).
> Does that mean I can use a huge list with 200k entries and apply it ?
>
> Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
> those 256k ?
>
> Where can I find the limitations, for example:
> How big can a single ACL be and how many ACLs can be combined in a policy
> ?
>
> Does it make a difference if I assign it via "service-policy" or "ip
> access-group" ?
>
> In case "no ip unreachables" is set, will there be any other inpact on the
> RP ?
>
> Will certain sizes cause CPU trouble during installation ?
>
> Can I change ACLs / policy map while they are in use or will this need a
> reload ?
>
> Will those ACLs conflict with CoPP or any other functions ?
> I think of some "it matches in the ACL, so CoPP is ignored" behaviour.
>
> I found that command here for usage check, is there anything other to
> verify that could hit 100% ?
>
> Router#sh platform hardware capacity acl
> Classification Mgr Tcam Resources
>   Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
>        RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
>        Dstbl  - Destinfo Table, Ethcam  - Ethertype Cam Table,
>        ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
>
>   Module Ttlent QoSent RBLent Lbl   LOU  TCP  Dstbl Ethcam ACTtbl V6ext
>   5       1%     2%     0%     1%    2%   0%   2%    0%     0%     0%
>
> Is there maybe any caveat with certain hardware ?
> My systems are Sup2T XL in CFC-only mode, 67xx linecards.
>
> kind regards
> Rolf Hanßen
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list