Title: Please help explain VACL/ACL Performance Impact Differences
|
-----Mensagem original-----
De: Gary Flynn
[mailto:[EMAIL PROTECTED]]
Enviada: sex 07-06-2002 21:16
Para: [EMAIL PROTECTED]
Cc:
Assunto:
Please help explain VACL/ACL Performance Impact Differences
> Hi,
> Is a packet filter still considered
relevant discussion here? :)
> I'm being asked to convert our Cisco
IOS ACLs to VACLs to decrease
> the performance impact on our routers.
However, reading the
> implementation documentation (instead of the
sales literature)
> makes me question whether there will be any
advantage.
> Environment:
> 6513 with Sup1A/PFC/MSFC with
long lists of layer four ACLs.
> Various documents say that both ACL
and VACL processing is
> done in hardware with the MSFC unless logging
is involved.
> If they're both done in hardware, where is the
performance
> improvement? Is it different hardware or was the
performance
> improvement only for the older Sup1 engine without the
MSFC
> card which processed IOS ACLs in software?
Nop the issue is related with netflow switching as you now the
logic here is "route one switch many" this is done using MLSP wich is protocol
used between the MSFC (L3 engine) and in your case Sup 1A (L2 engine), as soon
as a flow is edentified the packet's belonging to that FLOW are switched, so
the problem is, as you apply L3 ACL it would "destroy flow-switching" because
you would need to inspect all the packet's and would always to take the packet
to the L3 engine. BUT in your configuration you have a PFC (Policy Feature
Card) wich permit's you to apply ACL at the L2 stage, so the ACL are processed
at the PFC card without performance issue that's one of the main reasons
for having a PFC.
Regards
BF
|
