[c-nsp] Sup2T interface ACL limitations

Phil Mayers p.mayers at imperial.ac.uk
Mon Dec 16 07:40:24 EST 2013 

On 16/12/13 12:25, "Rolf Hanßen" wrote:

> no hints or experiences ?
> No other providers using ACLs on the network borders ?

These are all pretty basic questions; you might want to re-read the docs 
a few times to get a better understanding.

>> I read about "up to 256K entries" for a Sup2T (XL).
>> Does that mean I can use a huge list with 200k entries and apply it ?

Maybe. That might be very slow to program into hardware though, and 
because it's using >50% of the TCAM the box won't be able to do a 
hitless modify.

>> Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
>> those 256k ?

10. There is an indirection mechanism.

>> Where can I find the limitations, for example:
>> How big can a single ACL be and how many ACLs can be combined in a policy
>> ?

I don't know what this means; an ACL *is* a policy. You can't combine ACLs.

>> Does it make a difference if I assign it via "service-policy" or "ip
>> access-group" ?

Yes. They're totally different things. "service-policy" is a QoS policy, 
"ip access-group" is an ACL.

>> In case "no ip unreachables" is set, will there be any other inpact on the
>> RP ?

No.

>> Will certain sizes cause CPU trouble during installation ?

Probably yes.

>>
>> Can I change ACLs / policy map while they are in use or will this need a
>> reload ?

No you do not need a reload. Yes you can change them when they're in 
use. Be aware that sup2T has hitless ACL updates if certain conditions 
are met.

>> Will those ACLs conflict with CoPP or any other functions ?

IIRC ACLs first, CoPP second. ACL denies don't go to CoPP, ACL permits 
do, but TBH I'm going from memory here.

>> I think of some "it matches in the ACL, so CoPP is ignored" behaviour.
>>
>> I found that command here for usage check, is there anything other to
>> verify that could hit 100% ?

These stats are available over SNMP.

>> Is there maybe any caveat with certain hardware ?
>> My systems are Sup2T XL in CFC-only mode, 67xx linecards.

Be aware that ACLs are per-PFC/DFC on this platform.

More information about the cisco-nsp mailing list