[c-nsp] Sup2T interface ACL limitations
Phil Mayers
p.mayers at imperial.ac.uk
Mon Dec 16 07:40:24 EST 2013
On 16/12/13 12:25, "Rolf Hanßen" wrote:
> no hints or experiences ?
> No other providers using ACLs on the network borders ?
These are all pretty basic questions; you might want to re-read the docs
a few times to get a better understanding.
>> I read about "up to 256K entries" for a Sup2T (XL).
>> Does that mean I can use a huge list with 200k entries and apply it ?
Maybe. That might be very slow to program into hardware though, and
because it's using >50% of the TCAM the box won't be able to do a
hitless modify.
>> Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
>> those 256k ?
10. There is an indirection mechanism.
>> Where can I find the limitations, for example:
>> How big can a single ACL be and how many ACLs can be combined in a policy
>> ?
I don't know what this means; an ACL *is* a policy. You can't combine ACLs.
>> Does it make a difference if I assign it via "service-policy" or "ip
>> access-group" ?
Yes. They're totally different things. "service-policy" is a QoS policy,
"ip access-group" is an ACL.
>> In case "no ip unreachables" is set, will there be any other inpact on the
>> RP ?
No.
>> Will certain sizes cause CPU trouble during installation ?
Probably yes.
>>
>> Can I change ACLs / policy map while they are in use or will this need a
>> reload ?
No you do not need a reload. Yes you can change them when they're in
use. Be aware that sup2T has hitless ACL updates if certain conditions
are met.
>> Will those ACLs conflict with CoPP or any other functions ?
IIRC ACLs first, CoPP second. ACL denies don't go to CoPP, ACL permits
do, but TBH I'm going from memory here.
>> I think of some "it matches in the ACL, so CoPP is ignored" behaviour.
>>
>> I found that command here for usage check, is there anything other to
>> verify that could hit 100% ?
These stats are available over SNMP.
>> Is there maybe any caveat with certain hardware ?
>> My systems are Sup2T XL in CFC-only mode, 67xx linecards.
Be aware that ACLs are per-PFC/DFC on this platform.
More information about the cisco-nsp
mailing list