[c-nsp] Sup2T interface ACL limitations

"Rolf Hanßen" nsp at rhanssen.de
Mon Dec 16 09:26:49 EST 2013


Hi Phil,

> On 16/12/13 12:25, "Rolf Hanßen" wrote:
>
>> no hints or experiences ?
>> No other providers using ACLs on the network borders ?
>
> These are all pretty basic questions; you might want to re-read the docs
> a few times to get a better understanding.

Unfortunatelly the docs only describe the theory.
Maybe it works if I use an ACL with 100k entries but it takes a minute to
install.
Such things are usually not part of the docs or the information is spread
over half a dozen documents that otherwise contain 99% redundant data.

>>> I read about "up to 256K entries" for a Sup2T (XL).
>>> Does that mean I can use a huge list with 200k entries and apply it ?
>
> Maybe. That might be very slow to program into hardware though, and
> because it's using >50% of the TCAM the box won't be able to do a
> hitless modify.
>
>>> Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
>>> those 256k ?
>
> 10. There is an indirection mechanism.
>
>>> Where can I find the limitations, for example:
>>> How big can a single ACL be and how many ACLs can be combined in a
>>> policy
>>> ?
>
> I don't know what this means; an ACL *is* a policy. You can't combine
> ACLs.

I mean to create several ACLs and combine them in a policy map like:

policy-map pm1
 class class1
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop
 class class2
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop

class-map match-any class1
  match access-group name acl1

class-map match-any class2
  match access-group name acl2

ip access-list standard acl1
 permit 1.2.3.0
 ...

ip access-list standard acl2
 permit 5.6.7.8
 ...

>>> Does it make a difference if I assign it via "service-policy" or "ip
>>> access-group" ?
>
> Yes. They're totally different things. "service-policy" is a QoS policy,
> "ip access-group" is an ACL.

But does it make a difference if a packet is dropped in a policy instead
of a big ACL ?
Does a policy scale better or maybe worse ?

>>> In case "no ip unreachables" is set, will there be any other inpact on
>>> the
>>> RP ?
>
> No.
>
>>> Will certain sizes cause CPU trouble during installation ?
>
> Probably yes.

Are there any known to work or known to make trouble sizes ?

>>>
>>> Can I change ACLs / policy map while they are in use or will this need
>>> a
>>> reload ?
>
> No you do not need a reload. Yes you can change them when they're in
> use. Be aware that sup2T has hitless ACL updates if certain conditions
> are met.
>
>>> Will those ACLs conflict with CoPP or any other functions ?
>
> IIRC ACLs first, CoPP second. ACL denies don't go to CoPP, ACL permits
> do, but TBH I'm going from memory here.
>
>>> I think of some "it matches in the ACL, so CoPP is ignored" behaviour.
>>>
>>> I found that command here for usage check, is there anything other to
>>> verify that could hit 100% ?
>
> These stats are available over SNMP.
>
>>> Is there maybe any caveat with certain hardware ?
>>> My systems are Sup2T XL in CFC-only mode, 67xx linecards.
>
> Be aware that ACLs are per-PFC/DFC on this platform.

regards
Rolf



More information about the cisco-nsp mailing list