Anthony Pace wrote: > > I thought on some platforms there was a way to cache the ACLs and or policy > route-maps so they could be fast/CEF/mls switched. Like the logic got > copiled and pushed into silicon (or something like that). Is there any > vlaidity to that? > > Anthony Pace > Actually on ALL platforms, ACLs are fast or CEF-switched by default. You can use netflow feature acceleration on models and IOS releases that support that as well. ACLs have been fast-switched both inbound and outbound since IOS 10.0 (quite a ways back :) Policy routing has been fast/CEF-switched for several major releases.
Yes, ACLs cause impact and yes, how deep it has to search for a match does make the difference. So the only true answer is to benchmark a case with typical traffic mix both with and without the ACL. The final solution is to use turbo ACLs or Cat6500 ACLs. The former finds a match in three lookups for any length ACL. The one action that does cause IOS process CPU time is the generation of an ICMP administratively prohibited unreachable message sent back to the source. That's why those are rate-limited to one/sec per source. And you can disable them entirely to prevent a DoS with "no ip unreachables". - Marty > ""Brunner Joseph"" wrote in message > news:[EMAIL PROTECTED]... > > Just remember if you run CEF on this router or fast switching (as you > > should) it will process switch if you apply access-lists to interfaces. > > > > Any time you apply ip policy (policy routing) or access lists it really > > hammers the cpu. Do you run MRTG ? If you do consider graphing the CPU of > > your router. I used to run about 80 to 100 % without cef, (process > > switching) now I run around 10 to 20 % with cef. Consider using "routes to > > null" or the bit bucket instead of access lists (unless your using the > ACL's [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42358&t=41738 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
