If we cannot use the LoUs, it should be expanded it out to individual ACEs.Ī LOU can be referenced by multiple ACEs in the same ACL. TCAM entry for the above 2 will look thus:ĭefinition of ACEs and its order determines the usage of ACL TCAM Masks and entries.ĥ.2 Defining Logical Operations in an ACL to optimize usage of TCAM/LOUs This would result in 1 TCAM entry with 1 mask 255.255.255.254 and since the mask is the same we will use the second of the 8 entries corresponding to this mask. If in anot her ACL adjacent 2 entries are: One example of entries that can mask share would be say a subnet:ġ92.10.10.0 192.10.10.1 both have the same mask 255.255.255.254 (the last bit is don’t care). For 2 ACEs to share the same mask besides having the don’t care bits in the same locations they need to be adjacent to each other in the ACL definition. It is NOT correct to directly correlate number of ACEs configured to number of masks/entries used.Īs you might be aware, an ACL and the TCAM are order dependent. Optimization the usage of TCAM resources:Ĭonsider an ACL (similar to the one discussed in Section 2 above) starts with 9 ACEs checking destination IP address and 5 ACEs checking destination L4 port, then we need totally 3 masks. Opcode: LT = 1, GT = 2, NEQ = 3 and RANGE = 4.ĥ. LOU # Opcode Port# CapMap Count Ace Count
Module ACLent ACLmsk QoSent QoSmsk Lbl-in Lbl-eg LOUsrc LOUdst AND OR ADJ LOUdst - LOU destination, ADJ - ACL adjacency Lbl-in - ingress label, Lbl-eg - egress label, LOUsrc - LOU source, QoSent - QoS TCAM entries, QOSmsk - QoS TCAM masks, OR - ORAND, Key: ACLent - ACL TCAM entries, ACLmsk - ACL TCAM masks, AND - ANDOR, Monitoring the utilization of TCAM and LOUsĦ500A# show platform hardware capacity acl
įig 3: Logical Operation Units in Catalyst 6500Ĥ.
2011 acl free download list software#
If there are more port ranges in the ACL than the available LOUs and L4OPs, they are expanded in software into equivalent entries. So across all ACLs combined we can do 32 source port range (or TCP flag) matches and 32 destination port range (or TCP flag) matches in hardware using the LOUs, and for any specific ACL we can do 10 port range (or TCP flag) operations using the LOUs. Totally, we can do 32 source port range matches and 32 destination port range matches in hardware.Īlso per ACL we have 10 bits called L4Ops that select from the global LOUs, in order to perform a port operation for a given ACE within the ACL. Global LOUs are divided equally for source port and destination port operations and 2 LOUs needed to match port range.
The ACL hardware has 128 hardware LOUs and it is a global resource. The Catalyst 6500 hardware provides Logical Operations in Hardware do these operations. ACL TCAM and Logical Operation Units (LOUs) Mask is 104 bits length and compares Source-IP, Destination-IP, L4 port type (TCP/UDP), Source L4 port and Destination L4 port.ģ. A bit value of 0 in mask means that the corresponding bit position in the value is not compared with the actual traffic being classified (also known as don’t care bit). For every mask allocated, we can have maximum of 8 entries, as shown in the above figure.įor the above mentioned ACL, the TCAM will look like as mentioned below. Let us consider an example ACL and see how the switch populates the TCAM.įirst three ACEs check destination IP address only and rest of the ACEs check destination TCP/UDP port.
2011 acl free download list series#
The ACL TCAM is organized into series of VALUES (aka Entries) and MASK.įig 1: ACL TCAM Organization – Masks, Values and Results Explain how Access Control Lists (ACL) configured in Catalyst 6500 fit into its ACL TCAM and LOUs, and also to optimize the ACL configurations.
0 kommentar(er)
