EasyManua.ls Logo

Cisco Catalyst 4500 Series - TCAM Programming and Acls

Cisco Catalyst 4500 Series
1610 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
51-10
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 51 Configuring Network Security with ACLs
TCAM Programming and ACLs
TCAM Programming and ACLs
You apply three types of hardware resources when you program ACLs and ACL-based features: mapping
table entries (MTEs), profiles, and TCAM value/mask entries. If any of these resources are exhausted,
packets are sent to the CPU for software-based processing.
Note Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E, and Supervisor Engine 7L-E
automatically manage the available resources. Because masks are not shared on the supervisor engines,
only one programming algorithm exists. No regions exist so region resizing is not needed.
If you exhaust resources on the supervisor engine, you should consider reducing the complexity of your
configuration.
Note When an interface is in down state, TCAMs are not consumed for RACLs, but are for PACLs.
Layer 4 Operators in ACLs
The following sections provide guidelines and restrictions for configuring ACLs that include Layer 4
port operations:
Restrictions for Layer 4 Operations, page 51-10
Configuration Guidelines for Layer 4 Operations, page 51-11
How ACL Processing Impacts CPU, page 51-12
Restrictions for Layer 4 Operations
You can specify these operator types, each of which uses one Layer 4 operation in the hardware:
gt (greater than)
lt (less than)
neq (not equal)
range (inclusive range)
The limits on the number of Layer 4 operations differ for each type of ACL, and can also vary based on
other factors: whether an ACL is applied to incoming or outgoing traffic, whether the ACL is a security
ACL or is used as a match condition for a QoS policy, and whether IPv6 ACLs are being programmed
using the compressed flow label format.
Note The IPv6 compressed flow label format uses the Layer 2 Address Table to compress a portion of the IPv6
source address of each ACE in the ACL. The extra space freed in the flow label can then be used to
support more Layer 4 operations. For this compression to be used, the IPv6 ACL cannot contain any
ACEs that mask in only a portion of the bottom 48 bits of the source IPv6 address.
Generally, you will receive at most the following number of Layer 4 operations on the same ACL:
Direction Protocol Type Operations
------------------------------------------------

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Software Configuration Guide
Software Configuration Guide2086 pages
Preview: Administration Guide
Administration Guide1814 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Message Guide
Message Guide146 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages
Preview: Datasheet
Datasheet11 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Overview
Overview46 pages

Related product manuals