RE: How to stash more than 100 ACLs in a router
You need to limit your ACLs because the more ACLs your CPU usage will go up. -Original Message- From: ciscojolof [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 9:51 AM To: [EMAIL PROTECTED] Subject: How to stash more than 100 ACLs in a router Guys, I have a problem, in our network we are rate-limiting customers but we cannot get more than 100 ACLs per router so once we have over 100 customers we are compelled to install a second router. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
Use named access lists eg ip access-list extended name. - only supported in ios 11.2 and above -Original Message- From: ciscojolof [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 3:51 PM To: [EMAIL PROTECTED] Subject: How to stash more than 100 ACLs in a router Guys, I have a problem, in our network we are rate-limiting customers but we cannot get more than 100 ACLs per router so once we have over 100 customers we are compelled to install a second router. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
In my experience, it's the length of the acl's that hose your CPU, not the quantity. Fast switching aleviates this (CPU problems) a great deal anyway. i turned on ip route-cache flow on a router with a HUGE acl and saw the cpu (IP input) drop from 60% to 20% Might named or timed acl's provide a solution? Good luck. Roger -Original Message- From: Plantier, William [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 08:10 To: 'ciscojolof'; [EMAIL PROTECTED] Subject: RE: How to stash more than 100 ACLs in a router You need to limit your ACLs because the more ACLs your CPU usage will go up. -Original Message- From: ciscojolof [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 9:51 AM To: [EMAIL PROTECTED] Subject: How to stash more than 100 ACLs in a router Guys, I have a problem, in our network we are rate-limiting customers but we cannot get more than 100 ACLs per router so once we have over 100 customers we are compelled to install a second router. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
Not sure what your using your access-list's for, but you may want to consider implementing CBAC or Reflexive Access List's. -Original Message- From: Murphy, Brian J SSI-ISET-31 [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 10:22 AM To: 'ciscojolof'; [EMAIL PROTECTED] Subject: RE: How to stash more than 100 ACLs in a router Use named access lists eg ip access-list extended name. - only supported in ios 11.2 and above -Original Message- From: ciscojolof [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 3:51 PM To: [EMAIL PROTECTED] Subject: How to stash more than 100 ACLs in a router Guys, I have a problem, in our network we are rate-limiting customers but we cannot get more than 100 ACLs per router so once we have over 100 customers we are compelled to install a second router. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
Named access lists don't suffer from the 100 limit. Try using those and see if it helps. Otherwise, consolidate all the customers who have the same rate limits into one access-list. This should free up quite a few access list slots. I doubt that you offer 100 different types of rate-limits right? >From: "Plantier, William" <[EMAIL PROTECTED]> >Reply-To: "Plantier, William" <[EMAIL PROTECTED]> >To: "'ciscojolof'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: RE: How to stash more than 100 ACLs in a router >Date: Wed, 28 Feb 2001 10:10:02 -0500 > >You need to limit your ACLs because the more ACLs your CPU usage will go >up. >-Original Message- >From: ciscojolof [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, February 28, 2001 9:51 AM >To: [EMAIL PROTECTED] >Subject: How to stash more than 100 ACLs in a router > > >Guys, > >I have a problem, in our network we are rate-limiting customers but we >cannot get more than 100 ACLs per router so once we have over 100 customers >we are compelled to install a second router. > > > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
>You need to limit your ACLs because the more ACLs your CPU usage will go up. No, the total number of ACLs affects memory but not CPU. The number of lines in each ACL affects CPU. Depending on platform and switching mode, adding access-lists at ALL is the main impact on performance and CPU. But saying you need to limit your ACL's because usage will go up doesn't make sense. If you have a legitimate need for the functions that the ACLs perform, and your CPU isn't fast enough, you need to get a router with a faster CPU. The ACLs are there for a business reason. The only justification for the router is to meet business requirements. There's no value to conserving a resource just for the sake of conserving it. >-Original Message- >From: ciscojolof [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, February 28, 2001 9:51 AM >To: [EMAIL PROTECTED] >Subject: How to stash more than 100 ACLs in a router > > >Guys, > >I have a problem, in our network we are rate-limiting customers but we >cannot get more than 100 ACLs per router so once we have over 100 customers >we are compelled to install a second router. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stash more than 100 ACLs in a router
if you're talking about IP acl's, in 12.1 / 12.0T cisco has added more acl's for ip, check the release notes, its no longer limited to 100 extended and standard ip acl's On Wed, 28 Feb 2001, ciscojolof wrote: > Guys, > > I have a problem, in our network we are rate-limiting customers but we > cannot get more than 100 ACLs per router so once we have over 100 customers > we are compelled to install a second router. > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- Special: Catalyst 3100 switch & 2503 router module $1000.00 (16MB / 8MB)!!! I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-222-2638 x 109318-222-2638 x 101 Netjam, LLC http://www.netjam.net 1401 Oden St. VISA/MC/AMEX/COD Suite 18 Cisco Channel Partner Shreveport, LA 71104 Fax 318-221-6612 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
On the higher-end routers you can compile the ACLs and they get processed a little bit quicker. The feature is called Turbo ACLs. I haven't had a oppurtunity to be around a higher-end router long enough to really test them to see how much of a difference it makes. --- "Howard C. Berkowitz" <[EMAIL PROTECTED]> wrote: > >You need to limit your ACLs because the more ACLs > your CPU usage will go up. > > > No, the total number of ACLs affects memory but not > CPU. > > The number of lines in each ACL affects CPU. > > Depending on platform and switching mode, adding > access-lists at ALL > is the main impact on performance and CPU. > > But saying you need to limit your ACL's because > usage will go up > doesn't make sense. If you have a legitimate need > for the functions > that the ACLs perform, and your CPU isn't fast > enough, you need to > get a router with a faster CPU. The ACLs are there > for a business > reason. The only justification for the router is to > meet business > requirements. There's no value to conserving a > resource just for the > sake of conserving it. > > >-Original Message- > >From: ciscojolof [mailto:[EMAIL PROTECTED]] > >Sent: Wednesday, February 28, 2001 9:51 AM > >To: [EMAIL PROTECTED] > >Subject: How to stash more than 100 ACLs in a > router > > > > > >Guys, > > > >I have a problem, in our network we are > rate-limiting customers but we > >cannot get more than 100 ACLs per router so once we > have over 100 customers > >we are compelled to install a second router. > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stash more than 100 ACLs in a router
>[EMAIL PROTECTED] wrote, >On the higher-end routers you can compile the ACLs and >they get processed a little bit quicker. The feature >is called Turbo ACLs. I haven't had a oppurtunity to >be around a higher-end router long enough to really >test them to see how much of a difference it makes. True. As you suggest, it _is_ important to see if access list performance problems actually are significant in _your_ context. Fact, as can be seen from any number of posts on the NANOG mailing list: providers that exchange large exterior routing tables can't filter them even if they want to. In general, such providers trust their peers will already have filtered their provider routes, but are exposed to someone that hacks their peer network from the inside, or simply a misconfiguration inside their peer. But, in this context, we are talking about access lists with tens of thousands of rules. Processing power isn't always the limitation in working with such filters. One large provider, who filters extensively, has a bold warning sign on its main router consoles: DO NOT WRITE MEM/SAVE RUNNING START. Their access lists exceed the size of NVRAM, and cannot be saved to it. They MUST keep a small configuration in NVRAM, and then TFTP in the access lists. Processors are much faster now than on earlier routers, and processing power isn't always the problem. Yes, it is sometimes. But I don't recommend huge amounts of effort to minimize access lists unless: 1. You regularly monitor CPU utilization and see either a trend or actual statistics that will take you much above t50-60% 5-minute utilization. There are LOTS of simplifying assumptions here; it's only a guideline. 2. You are CERTAIN that you have enough outgoing bandwidth that queueing for the medium isn't a problem 3. You are CERTAIN your processing load can't be reduced by configuring different switching modes and/or thinking through carefully that you have the most efficient placement of access lists with respect to interfaces. In other words, it might be much better not to have access lists at all on inbound interfaces, but only on outbound interfaces, because the load often depends more on the presence or absence of an access list (and the consequent effect on switching path) than it does on number of lines in the list. > >--- "Howard C. Berkowitz" <[EMAIL PROTECTED]> wrote: >> >You need to limit your ACLs because the more ACLs >> your CPU usage will go up. >> >> >> No, the total number of ACLs affects memory but not >> CPU. >> >> The number of lines in each ACL affects CPU. >> >> Depending on platform and switching mode, adding >> access-lists at ALL >> is the main impact on performance and CPU. >> >> But saying you need to limit your ACL's because >> usage will go up >> doesn't make sense. If you have a legitimate need >> for the functions >> that the ACLs perform, and your CPU isn't fast >> enough, you need to >> get a router with a faster CPU. The ACLs are there >> for a business >> reason. The only justification for the router is to >> meet business >> requirements. There's no value to conserving a >> resource just for the > > sake of conserving it. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stash more than 100 ACLs in a router
Another alternative is to use named access-lists, which allow you to reference an acl using a user-defined name instead of a number. This feature was introduced in IOS 11.2 and theoretically allows you to create an unlimited number of acls. HTH, Kent On 28 Feb 2001, at 21:37, Brian wrote: > > if you're talking about IP acl's, in 12.1 / 12.0T cisco has added more > acl's for ip, check the release notes, its no longer limited to 100 > extended and standard ip acl's > > On Wed, 28 Feb 2001, ciscojolof wrote: > > > Guys, > > > > I have a problem, in our network we are rate-limiting customers but > > we cannot get more than 100 ACLs per router so once we have over 100 > > customers we are compelled to install a second router. > > > > > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html Report misconduct and > > Nondisclosure violations to [EMAIL PROTECTED] > > > > > --- > Special: Catalyst 3100 switch & 2503 router > module $1000.00 (16MB / 8MB)!!! > > I'm buying / selling used CISCO gear!! > email me for a quote > > Brian Feeny,CCDP,CCNP+VAS Scarlett Parria > [EMAIL PROTECTED] [EMAIL PROTECTED] > 318-222-2638 x 109318-222-2638 x 101 > > Netjam, LLC http://www.netjam.net > 1401 Oden St. VISA/MC/AMEX/COD > Suite 18Cisco Channel Partner > Shreveport, LA 71104 > Fax 318-221-6612 > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html Report misconduct and > Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
