[f-nsp] Using outbound ACLs on JetCore modules

Devon devon at noved.org
Tue Mar 2 17:28:32 EST 2004 

All:

Follow-up to myself in-case anyone searching the foundry-nsp archives is 
curious about this issue. :) A couple of people sent me emails privately.

----------

That was the case with ironcore.  (at least, I heard the same story as
you).

It was also the case with jetcore and was supposedly fixed in the early
parts of the 7.6.3 train and later.

I havent tested it though.

----------

Hello,

With Jetcore outbound ACL's are copied to inbound ACL's on all other
ports so the use a lot more CAM space.

I believe the IronCore chipset hasn't this disadvantage. On the other
hand, ACL's on Jetcore are wirespeed

----------

I looked at the release notes for the various software releases and 
found this entry in the 7.6.01 release notes:

"CPU Processing for Outbound ACLs Applies Only to a Traffic Flow Whose 
Destination Address Matches an ACL Entry

NOTE: This enhancement applies to flow-based ACLs and hardware-based 
ACLs on Layer 3 Switches. The enhancement does not apply to Layer 2 
Switches.

In previous releases, if you applied an outbound ACL to an interface, 
the device sent all inbound traffic to the CPU for processing, before 
forwarding the traffic to the outbound interfaces. In 07.6.01, if an 
interface has an outbound ACL, the device sends traffic that needs to be 
forwarded out that interface to the CPU for processing only if the 
packet’s destination IP address matches the destination address in an 
outbound ACL on the interface. Otherwise, the traffic can be forwarded 
in hardware."

I am still curious to know if anyone has applied outbound ACLs on 
Jetcore modules running software >=7.6.01 and seen any CPU/CAM problems.

Devon

Devon wrote:
> All:
> 
> We have recently switched from IronCore to JetCore modules. Back when we
> were running IronCore, it was advised that we try to use only inbound
> ACLs and not outbound ACLs as outbound ACLs placed more work on the box.
> (I vaguely remember the person explaining to me that an outbound ACL
> basically made an inbound ACL on all interfaces)
> 
> Is this still the case with JetCore? Or was I misled in the first place?
> 
> Devon
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

More information about the foundry-nsp mailing list