CPU impact with ACLs

This is for more general topics about networking and vendors.
Guest

CPU impact with ACLs

Post by Guest » Sun Mar 09, 2008 5:23 pm

Hi all, I have a requirement to apply an ACL on around 100 interfaces to block sertain ports UDP&TCP due to government regulation requirements. Ive a 7609 router with SUP720-3BXL superwisor engine (act as a MPLS PE in our netrowk) with average CPU of 40%. 1. Will there be any huge CPU incerase by allpying this single ALC on around 100 interfaces? (Any practical experience with any one of you all)2. Will ACLs process in control plane; though I apply it in individual interfaces/different line cards? Can any one help me out to understand this. Thanks, Chaminda

Guest

Re:CPU impact with ACLs

Post by Guest » Sun Mar 09, 2008 5:38 pm

Hello Chaminda, in  C7600 unless using the log option packets are processed by CEF not process switched We have ACLs on PE nodes for client Vlans in order of 20-30 clients vlans Hope to helpGiuseppe

Guest

Re:CPU impact with ACLs

Post by Guest » Sun Mar 09, 2008 6:56 pm

Hellow Giuseppe, Thanks for you r update and sharing your experienc. Thanks ChamindaW

Guest

Re:CPU impact with ACLs

Post by Guest » Sun Mar 09, 2008 7:18 pm

This can be a  very complex topic. The architecture for the 6500 and 7600 are very similiar so I would read though this document: Understanding ACL on Catalyst 6500 Series Switcheshttp://tools.cisco.com/squish/50095 If the ACLs configured do not exceed the TCAM limits and the ACL is programmed into the TCAM then the CPU on the supervisor should not be impacted. If the ACL is programmed into the TCAM then all of the checking will be done by the PFC/DFC.

Guest

Re:CPU impact with ACLs

Post by Guest » Sun Mar 09, 2008 7:20 pm

Hellow George, Thanks for your valuable update. Here is my TCAM count. COL001-PE4#sh tcam counts                                Used        Free        Percent Used       Reserved                                ------                        - ----          --- --------------      --- -------- Labels:(in)          13            4083                    0 Labels:(eg)           3            4093                      0 ACL_TCAM--------  Masks:                31            4065                        0                            72Entries:                 193       32575                       0                            576 QOS_TCAM--------  Masks:                10            4086                      0                             18Entries:                 52           32716                     0                             144     LOU:                    0                  128                   0  ANDOR:               0                  16                0  ORAND:               0                  16                0    ADJ:                     3              2045                 0 Believe I can use free ACL_TCAM space for my requirement provided it doesn exceed the maximum limit. Also one more clarification; in your post you have mentioned " the ACL is programmed into the TCAM". What does this really mean? Do we need to perform any thing manually to cater this requirement? THanks CHamindaW

Post Reply