At 1:58 PM -0400 4/26/02, Anthony Pace wrote: >Theses seem to conflict. Is there some historical eveolution htat aloows >them both to be true at different times on different platforms? > >1) Just remember if you run CEF on this router or fast switching (as you >should) it will process switch if you apply access-lists to interfaces. > >2) Actually on ALL platforms, ACLs are fast or CEF-switched by default.
There was quite a bit of historical evolution. Certainly through 9.1 or so, pretty much every access list was process-switched. They began to evolve, with, IIRC, outbound simple IP lists being the first to be fast switched. Initially, if you put ANY access list on an inbound interface, it would force ALL interfaces of the box into process switching, including those that had no access lists. A little later, process switching became specific to the interfaces involved (IOS 10.0?), but the more complex lists (e.g., looking at TCP/UDP port went through process switching). Input filtering was also treated as a special case for a while. On a release of the 7000 platform, not the first release, simple access lists could run in Silicon Switching. Frankly, for quite some time, I would advise my students, when they would ask what switching mode would be for an interface in a complex configuration, I suggested they configure it and do show ip interface to find out. Things that affected it could include using X.25, certain other protocols, etc. It seemed at times that (hypothetically) the 4000M would process switch if the configuration contained DecNET and IP, but only if it was booted during the full moon of a month with "R" in it. Then, in the next subrelease, it would process switch only if the reboot month DID NOT have an "R" in it. The next release would go back to process switching on "R" months if you rebooted during the new moon, and fast switch otherwise. IP accounting initially forced you into process switching, as well as IP fragmentation. NetFlow was an answer to the first problem. The tendency was to avoid access lists on core routers such as the GSR, but, eventually, compiled access lists became available. > >Anthony Pace > > >""Marty Adkins"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> Anthony Pace wrote: >> > >> > I thought on some platforms there was a way to cache the ACLs and or >policy >> > route-maps so they could be fast/CEF/mls switched. Like the logic got >> > copiled and pushed into silicon (or something like that). Is there any >> > vlaidity to that? >> > >> > Anthony Pace >> > >> Actually on ALL platforms, ACLs are fast or CEF-switched by default. >> You can use netflow feature acceleration on models and IOS releases >> that support that as well. ACLs have been fast-switched both inbound >> and outbound since IOS 10.0 (quite a ways back :) >> Policy routing has been fast/CEF-switched for several major releases. >> >> Yes, ACLs cause impact and yes, how deep it has to search for a match >> does make the difference. So the only true answer is to benchmark a >> case with typical traffic mix both with and without the ACL. >> >> The final solution is to use turbo ACLs or Cat6500 ACLs. The former >> finds a match in three lookups for any length ACL. >> >> The one action that does cause IOS process CPU time is the generation of >> an ICMP administratively prohibited unreachable message sent back to >> the source. That's why those are rate-limited to one/sec per source. >> And you can disable them entirely to prevent a DoS with "no ip >unreachables". >> >> - Marty >> >> > ""Brunner Joseph"" wrote in message >> > news:[EMAIL PROTECTED]... >> > > Just remember if you run CEF on this router or fast switching (as you >> > > should) it will process switch if you apply access-lists to >interfaces. >> > > >> > > Any time you apply ip policy (policy routing) or access lists it >really >> > > hammers the cpu. Do you run MRTG ? If you do consider graphing the CPU >of >> > > your router. I used to run about 80 to 100 % without cef, (process >> > > switching) now I run around 10 to 20 % with cef. Consider using >"routes >> to >> > > null" or the bit bucket instead of access lists (unless your using the >> > ACL's >> [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42677&t=41738 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
