[c-nsp] Sup2T interface ACL limitations

gjstem at gmail.com gjstem at gmail.com
Mon Dec 23 20:05:22 EST 2013 

Take a look at TrustSec/SGA.  The abstraction of IP addresses into tags looks to be a promising approach for optimizing FW/ACL policies especially memory on hardware forwarding platforms.  The challenge is designing an architecture whereby you can get tags assigned efficiently for all relevant IP blocks to allow for appropriate enforcement.

On Dec 21, 2013, at 7:52 PM, Łukasz Bromirski <lukasz at bromirski.net> wrote:

> 
> On 20 Dec 2013, at 14:36, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> 
>> On 16/12/13 14:26, "Rolf Hanßen" wrote:
>> 
>>>> These are all pretty basic questions; you might want to re-read the docs
>>>> a few times to get a better understanding.
>>> 
>>> Unfortunatelly the docs only describe the theory.
>> 
>> I wrote a long answer, but decided on a short one:
>> 
>> Very large ACLs e.g. with 100k entries aren't that common. It's an odd thing to do, IMHO, and you should speak to your Cisco account manager / SE to get feedback from the platform team on the scale limits.
>> Personally, I wouldn't do what you're doing - a 100k ACE ACL is just asking for trouble.
> 
> Indeed. Even if something that huge will fit into hardware to not
> compromise speed, it will be unmanageable (and on most platforms it
> will not).
> 
> I’ve witnessed two or three customers that I was responsible for @Cisco,
> that were at the 60-80k entries mark. They were essentially
> (no pun intended) coming from Checkpoint land, where ACLs were tool
> to do anything. All of them essentially said: we no longer can manage
> this, we no longer can track this, we no longer know what’s going on,
> please find us some solution. Heck, I saw RFPs asking for
> 500-600k ACEs in hardware! (someone haven’t done any market research).
> 
> If you need that kind of scale, go for BGP blackholing coupled with
> uRPF, and you will a) use the things routers are best in (using their
> FIB) and b) dynamically scale/manage the solution.
> 
> ACLs are good for basic sanity checks and segmenting the traffic for
> ports (L4+). BGP scales way better for L3 than them and it’s faster
> and way easier to dynamically update the entries.
> 
> -- 
> "There's no sense in being precise when |               Łukasz Bromirski
> you don't know what you're talking     |      jid:lbromirski at jabber.org
> about."               John von Neumann |    http://lukasz.bromirski.net
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list