Re: Please help explain VACL/ACL Performance Impact Differences
Bruno Fernandes wrote: Nop the issue is related with netflow switching as you now the logic here is route one switch many this is done using MLSP wich is protocol used between the MSFC (L3 engine) and in your case Sup 1A (L2 engine), as soon as a flow is edentified the packet's belonging to that FLOW are switched, so the problem is, as you apply L3 ACL it would destroy flow-switching because you would need to inspect all the packet's and would always to take the packet to the L3 engine. BUT in your configuration you have a PFC (Policy Feature Card) wich permit's you to apply ACL at the L2 stage, so the ACL are processed at the PFC card without performance issue that's one of the main reasons for having a PFC. Our performance concern is with CPU utilization. While layer two switching may improve overall throughput, it would seem to have little impact on the main CPU utilitization assuming the ACLs are processed in hardware. True? -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
RE: Please help explain VACL/ACL Performance Impact Differences
Title: Please help explain VACL/ACL Performance Impact Differences -Mensagem original- De: Gary Flynn [mailto:[EMAIL PROTECTED]] Enviada: sex 07-06-2002 21:16 Para: [EMAIL PROTECTED] Cc: Assunto: Please help explain VACL/ACL Performance Impact Differences Hi, Is a packet filter still considered relevant discussion here? :) I'm being asked to convert our Cisco IOS ACLs to VACLs to decrease the performance impact on our routers. However, reading the implementation documentation (instead of the sales literature) makes me question whether there will be any advantage. Environment: 6513 with Sup1A/PFC/MSFC with long lists of layer four ACLs. Various documents say that both ACL and VACL processing is done in hardware with the MSFC unless logging is involved. If they're both done in hardware, where is the performance improvement? Is it different hardware or was the performance improvement only for the older Sup1 engine without the MSFC card which processed IOS ACLs in software? Nop the issue is related with netflow switching as you now the logic here is "route one switch many" this is done using MLSP wich is protocol used between the MSFC (L3 engine) and in your case Sup 1A (L2 engine), as soon as a flow is edentified the packet's belonging to that FLOW are switched, so the problem is, as you apply L3 ACL it would "destroy flow-switching" because you would need to inspect all the packet's and would always to take the packet to the L3 engine. BUT in your configuration you have a PFC (Policy Feature Card) wich permit's you to apply ACL at the L2 stage, so the ACL are processed at the PFC card without performance issue that's one of the main reasons forhaving a PFC. Regards BF
