[c-nsp] ACL performance question

Saku Ytti saku at ytti.fi
Sat Aug 20 18:31:50 EDT 2016 

I don't think ASR1k has LOU concept. In EARL platforms LOU is HW
optimisation to handle port-ranges without burning huge amount of
TCAM, OPs example showed no port ranges being used which would mean no
LOUs being used.

To answer OP's question, yes, it is cheaper in ASR1k (and all HW
implementations that I know off) to aggregate the networks to as few
entries as possible. However there is often smart algorithm between
configuration and HW, which will optimise things for you, so even
badly written ACL might end up as well implemented HW rules.

In all platforms that I've seen, it is possible to review what
actually ended up in HW. This will allow you to easily compare
resource cost of your two strategies and gives general insight how ACL
is implemented in given hardware, and what will the scale limits be in
your use-case.


On 21 August 2016 at 00:42, Randy via cisco-nsp
<cisco-nsp at puck.nether.net> wrote:
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ---------- Forwarded message ----------
> From: Randy <randy_94108 at yahoo.com>
> To: Satish Patel <satish.txt at gmail.com>, Cisco Network Service Providers <cisco-nsp at puck.nether.net>
> Cc:
> Date: Sat, 20 Aug 2016 21:38:49 +0000 (UTC)
> Subject: Re: [c-nsp] ACL performance question
> ----- Original Message -----
>
> From: Satish Patel <satish.txt at gmail.com>
> To: Cisco Network Service Providers <cisco-nsp at puck.nether.net>
> Sent: Saturday, August 20, 2016 1:23 PM
> Subject: [c-nsp] ACL performance question
>
> We have ASR1006 Router and we are running ACL on it to allow specific
> port to specific server.
>
> Question is there any ACL performance impact on individual IP vs full
> subnet. like following example.
>
> we have 202.100.100.0/24 subnet now i want to use first 200 IPs for
> web server port 80 remaining 55 (whatever) mail service port 25.
>
> Now how do i tell ACL to isolate them or subnet them? Other option i
> have i create individual ACL for each IP like following but question
> is does it impact on router performance?
>
> access-list 102 permit tcp any host 202.100.100.1 eq www
> access-list 102 permit tcp any host 202.100.100.2 eq www
> access-list 102 permit tcp any host 202.100.100.3 eq www
> access-list 102 permit tcp any host 202.100.100.4 eq www
> ...
> ...
> access-list 102 permit tcp any host 202.100.100.201 eq smtp
> access-list 102 permit tcp any host 202.100.100.202 eq smtp
>
>
> what would be the best approach here?
> ----------------------------------------------------------------------------------------------------
>
> You ask *interesting-generic* questions. Answers will vary.
>
> Generally speaking:
>
>
> a) if acl in question gets implemented in hardware, you will run out of LOU's before TCAM exhaustion.
> b) in software: How many such entries will you have: 4 - your are ok. 1000 - not so much. ACE's are processed sequentially.
>
> How about you do a little bit of legwork yourself?
>
> ./Randy
>
> _______________________________________________cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
  ++ytti

More information about the cisco-nsp mailing list