Turbo Access Control List Scalability Enhancements
|
|||||||||||||||||||||||||
Contents
Turbo Access Control List Scalability EnhancementsLast Updated: May 14, 2011
The Turbo Access Control List (ACL) Scalability Enhancements feature introduced in Cisco IOS Release 12.2(31)SB2 improves overall performance on the Cisco 7304 router using a Network Services Engine (NSE) by allowing Turbo ACLs to be processed in PXF using less memory, thereby allowing more traffic traversing the Cisco 7304 router using an NSE to be PXF-accelerated. This feature also introduces user-configuration options that allow users to define the amount of memory used for Turbo ACL purposes in the Route Processor (RP) processing path.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Turbo Access Control List Scalability EnhancementsBecause the portion of this feature that more expediently removes older entries works in the PXF processing path, PXF must be enabled for this particular functionality to have any benefit. PXF processing is enabled by default. Restrictions for Turbo Access Control List Scalability EnhancementsThis feature is not available for Cisco 7304 routers using an NPE-G100. Information About Turbo Access Control List Scalability Enhancements
How Turbo ACL on the Cisco 7304 Router Using an NSE WorksWith the exception that most Turbo ACL classification is PXF-accelerated on a Cisco 7304 router using an NSE-100 or an NSE-150, Turbo ACL classification on the Cisco 7304 router using an NSE-100 or NSE-150 is similar in behavior to Turbo ACL on other platforms. For information on Turbo ACL, see Turbo Access Control Lists . For information on PXF on Cisco 7304 routers using an NSE-100 or an NSE-150, including the Turbo ACL features that are PXF-accelerated, see PXF Information for the Cisco 7304 Router . How Turbo ACL Scalability Enhancements on the NSEs Improves Overall PXF PerformanceThe memory allocated in PXF for Turbo Access Control Lists (ACLs) on the NSE-100 especially is limited to the point where even modestly-sized ACL configurations cause a large amount of PXF memory to be used for Turbo ACL processing. As a result, a large amount of network traffic that should be processed through the PXF processing path is instead processed through the RP path. This enhancement is part of a series of enhancements to improve Turbo ACL functionality on the Cisco 7304 router using the NSE-100. Specifically, this feature keeps the entries for PXF-based Turbo ACL classification current by more actively removing older entries. The older entries, which are no longer used for current traffic flows, still consume memory and, therefore, cause traffic that would normally be PXF-accelerated to instead be punted to the RP. This portion of the feature, which does not require user configuration, improves overall traffic flow on the Cisco 7304 router using an NSE by allowing more network traffic to be PXF-accelerated. How Turbo ACL Scalability Enhancements on the NSEs Improves Overall Route Processing PerformanceThese Turbo ACL scalability enhancements also introduce an enhancement that allows users, via configuration commands, to configure the amount of memory reserved for ACL processing on the RP. The ability to configure the amount of memory reserved for ACL processing in the RP path gives users the option either to improve ACL processing performance in the RP path by reserving more memory for ACL processing, or to improve all other RP path functionality by reserving less memory for ACL processing. In Cisco IOS releases not containing this feature, the amount of memory reserved for RP ACL handling is fixed. Understanding Memory Limits for Turbo ACL Processes on the Route ProcessorAn NSE-150 has 2 GB of DRAM. NSE-100 RAM is user-configurable using an SDRAM SODIMM. While most NSE-100s have 512 MB of RAM, 256-MB and 128-MB SDRAM SODIMMs for the NSE-100 exist. On a Cisco 7304 router using an NSE-150, the default memory limit for Turbo ACL processes (such as classification, compilation, and table storage) of Layer 3 and Layer 4 data in the RP path is always 256 MB. The default memory limit for Turbo ACL processes for Layer 2 data in the RP path for a Cisco 7304 router using an NSE-150 is always 128 MB. On a Cisco 7304 router using an NSE-100, the default amount of memory reserved for Turbo ACL processes in the RP path is dependant upon the amount of SDRAM configured on the NSE-100. If the NSE has 512 MB of SDRAM or more, the default memory limit for Turbo ACL processes for Layer 3 and Layer 4 traffic processing is 256 MB. If the processor has less than 512 MB of SDRAM, the default memory limit for Turbo ACL processes for Layer 3 and Layer 4 traffic is 128 MB. The default amount of memory reserved for Layer 2 Turbo ACL processes for a Cisco 7304 router using an NSE-100 is always 128 MB, regardless of the amount of memory configured on the processor. To see the default amount of memory reserved for Layer 2 or for Layer 3 and Layer 4 Turbo ACL processing on your Cisco 7304 router, enter the show access-list compiled command. The âMb default limitâ output, which appears in both the âCompiled ACL statistics for IPv4â and âCompiled ACL statistics for Data-Linkâ sections of the output, shows you the default memory reservations for either Layer 2 or Layer 3 and Layer 4 Turbo ACL processing. See "Monitoring Turbo ACL Memory Usage in the Route Processing Path" for a more detailed explanation of this procedure. To change the default amount of memory reserved for Layer 2 or Layer 3 and Layer 4 Turbo ACL processing on your Cisco 7304 router, enter the access-list compiled [ipv4 | data-link] limit memory numbercommand. To restore the default amount of memory reserved for Layer 2 or Layer 3 and Layer 4 Turbo ACL processing on your Cisco 7304 router, enter the default access-list compiled [ipv4 | data-link] limit memorycommand. To learn more about the SDRAM SODIMMs that determine the amount of SDRAM available for Cisco 7304 routers using an NSE-100, see NSE-100 Memory Information. BenefitsImproved Traffic FlowThis feature improves the Turbo ACL processing process in PXF by more expediently removing older entries. As a result, more Turbo ACL processing can be done in the PXF processing path, thereby allowing more router traffic to be accelerated using the PXF processing path. Configuration of Route Processor Memory Limits for ACL ProcessingThis feature allows users to set the amount of memory reserved for ACL processes (such as compilation, storage, and classification) in the RP path. Users who need more memory for ACL processes now have the ability to set aside additional memory resources in the RP path for ACL processes. Users who need more more memory for other processes in the RP path now can set aside less memory for ACL processes. How to Configure Turbo Access Control List Scalability EnhancementsIt is important to note that the portion of this feature that more expediently removes older ACL entries for ACLs being processed in the PXF processing path occurs automatically without user configuration. The following sections contain procedures for configuring memory reservations for Turbo ACL processing on the RP:
Monitoring Turbo ACL Memory Usage in the Route Processing PathBefore setting the actual memory limits for RP-based Turbo ACL usage, it may be helpful to gather information regarding the amount of memory being used for Turbo ACL usage. To monitor your Turbo ACL memory usage in the RP path, you must complete the following steps. DETAILED STEPS Configuring a User-Defined Memory Limitations for Turbo ACL Processing PathTo enable memory limitations for Turbo ACL processing of Layer 3 and Layer 4 data in the RP path, you must complete the following steps. DETAILED STEPS Removing Memory Limits for Turbo ACL Processing of Layer 3 and Layer 4 Data in the Route Processing PathRemoving all memory limits for Turbo ACL processes in the Route Processor allows all route processing memory to be used for Turbo ACL processing of Layer 3 and Layer 4 data, if necessary. It is important to note that this functionality is not used to remove a previously configured limit, even though it is a no form of a command. To remove all memory limits for Turbo ACL processing for Layer 3 and Layer 4 data and to allow as much memory as needed for Layer 3 and Layer 4 Turbo ACL processing in the RP path, you must complete the following steps. DETAILED STEPS Restoring the Default Memory Limits for Turbo ACL Processing of Layer 3 and 4 Data in the Route Processing PathThe default memory limit for Turbo ACL processing of Layer 3 and Layer 4 data in the RP path is always 256 MB on the NSE-150. On the NSE-100, the default memory limit for Turbo ACL processing of Layer 3 and Layer 4 data in the RP path is dependant on the amount of memory on your NSE-100. If you have more than 512 MB of memory configured on your processor, your default memory limit for RP-based Turbo ACL processing is 256 MB. If you have less than 512 MB of memory, your default memory limit for RP-based Turbo ACL processing is 128 MB. To restore the default RP memory limit settings for Turbo ACL processing of Layer 3 and Layer 4 traffic, you must complete the following steps. DETAILED STEPS Layer 2 Data in the Route Processing PathTo enable a memory limitation setting for Turbo ACL processing of Layer 2 data in the RP path, you must complete the following steps. DETAILED STEPS Removing Memory Limits for Turbo ACL Processing of Layer 2 Data in the Route Processing PathRemoving all memory limits for Turbo ACL processing of Layer 2 data in the Route Processor allows all route processing memory to be used for Turbo ACL processing of Layer 2 data, if necessary. It is important to note that this functionality is not used to remove a previously configured limit, even though it is a no form of a command. To remove all RP-based memory limits for Turbo ACL processing for Layer 2 data and to allow as much memory as needed for Layer 2 Turbo ACL processing, you must complete the following steps. DETAILED STEPS Restoring the Default Memory Limits for Turbo ACL Processing of Layer 2 Data in the Route Processing PathThe default memory limit for Turbo ACL processing of Layer 2 data in the RP processing path is 128 MB for the NSE-100 and NSE-150. To restore the default RP-based memory limit setting for Turbo ACL processing of Layer 2 data, you must complete the following steps. DETAILED STEPS Verifying Memory Limitation Settings for Turbo ACL ProcessingTo verify RP-based memory limitation settings for Turbo ACL processing, you must complete the following steps. DETAILED STEPS Configuration Examples for Turbo Access Control List Scalability Enhancements
Example Monitoring Memory Limitations for Layer 2 or Layer 3 and Layer 4 ACL ProcessingIn the following example, the show access-list compiled command is entered. Note the following, which are italicized in the example output:
Router# show access-lists compiledCompiled ACL statistics for IPv4: ACL State Entries Config Fragment Redundant 102 Operational 1 1 0 0 103 Operational 1 1 0 0 104 Operational 1 1 0 0 105 Operational 1 1 0 0 106 Operational 1 1 0 0 112 Operational 1 1 0 0 ws_def_acl Operational 1 1 0 0 7 ACLs, 7 active, 1 builds, 7 entries, 1408 ms last compile 1 history updates, 2000 history entries 0 mem limits, 65 Mb limit, 256 Mb default limit, 1 Mb max memory 0 compile failures, 0 priming failures Overflows: L1 0, L2 0, L3 0 Table expands:[9]=0 [10]=0 [11]=0 [12]=0 [13]=0 [14]=0 [15]=0 L0: 1803Kb 2/3 8/9 3/4 2/3 2/3 2/3 2/3 2/3 L1: 5Kb 3/27 3/12 2/9 2/9 L2: 4Kb 3/150 2/81 L3: 7Kb 3/250 Ex: 8Kb Tl: 1828Kb 41 equivs (18 dynamic) Compiled ACL statistics for Data-Link: ACL State Entries Config Fragment Redundant int-l2-0 Operational 1 1 0 0 int-l2-1 Operational 2 2 0 0 int-l2-2 Operational 3 3 0 0 int-l2-3 Operational 4 4 0 0 int-l2-4 Operational 1 1 0 0 int-l2-5 Operational 199 199 0 0 int-l2-6 Operational 200 200 0 0 int-l2-8 Operational 3 3 0 0 int-l2-10 Operational 2 2 0 0 int-l2-15 Operational 1 1 0 0 int-l2-16 Operational 2 2 0 0 int-l2-17 Operational 3 3 0 0 int-l2-18 Operational 1 1 0 0 19 ACLs, 13 active, 22 builds, 422 entries, 832 ms last compile 0 history updates, 524288 history entries 0 mem limits, 128 Mb limit, 128 Mb default limit, 0 Mb max memory 0 compile failures, 0 priming failures Overflows: L1 3 Table expands:[3]=3 L0: 593Kb 1013/1014 2/3 L1: 86Kb 1013/1518 Ex: 191Kb Tl: 871Kb 2028 equivs (1013 dynamic) Example Verifying ACL Memory Limit ConfigurationsIn the following example, a 65-MB limit has been configured for Layer 3 and Layer 4 ACL processing, while the Layer 2 ACL memory reservations have not been changed. See the italicized output in the following example to view the changes: Router# show access-lists compiledCompiled ACL statistics for IPv4: ACL State Entries Config Fragment Redundant 102 Operational 1 1 0 0 103 Operational 1 1 0 0 104 Operational 1 1 0 0 105 Operational 1 1 0 0 106 Operational 1 1 0 0 112 Operational 1 1 0 0 ws_def_acl Operational 1 1 0 0 7 ACLs, 7 active, 1 builds, 7 entries, 1408 ms last compile 1 history updates, 2000 history entries 0 mem limits, 65 Mb limit, 256 Mb default limit, 1 Mb max memory 0 compile failures, 0 priming failures Overflows: L1 0, L2 0, L3 0 Table expands:[9]=0 [10]=0 [11]=0 [12]=0 [13]=0 [14]=0 [15]=0 L0: 1803Kb 2/3 8/9 3/4 2/3 2/3 2/3 2/3 2/3 L1: 5Kb 3/27 3/12 2/9 2/9 L2: 4Kb 3/150 2/81 L3: 7Kb 3/250 Ex: 8Kb Tl: 1828Kb 41 equivs (18 dynamic)Compiled ACL statistics for Data-Link: ACL State Entries Config Fragment Redundant int-l2-0 Operational 1 1 0 0 int-l2-1 Operational 2 2 0 0 int-l2-2 Operational 3 3 0 0 int-l2-3 Operational 4 4 0 0 int-l2-4 Operational 1 1 0 0 int-l2-5 Operational 199 199 0 0 int-l2-6 Operational 200 200 0 0 int-l2-8 Operational 3 3 0 0 int-l2-10 Operational 2 2 0 0 int-l2-15 Operational 1 1 0 0 int-l2-16 Operational 2 2 0 0 int-l2-17 Operational 3 3 0 0 int-l2-18 Operational 1 1 0 0 19 ACLs, 13 active, 22 builds, 422 entries, 832 ms last compile 0 history updates, 524288 history entries 0 mem limits, 128 Mb limit, 128 Mb default limit, 0 Mb max memory 0 compile failures, 0 priming failures Overflows: L1 3 Table expands:[3]=3 L0: 593Kb 1013/1014 2/3 L1: 86Kb 1013/1518 Ex: 191Kb Tl: 871Kb 2028 equivs (1013 dynamic) Additional ReferencesRelated Documents
MIBsTechnical Assistance
Feature Information for Turbo ACL Scalability EnhancementsThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
GlossaryAccess Control List --A list kept by routers to control access to or from the router for a number of services. NSE --network services engine. The Cisco 7304 router has two types of processor, the NSE and the network processing engine (NPE). Two versions of the NSE exist, the NSE-100 and the NSE-150. RP --Route Processor. One of two processing paths on a Cisco 7304 router using an NSE, with the Parallel eXpress Forwarding path being the other path. All traffic not supported in the PXF path on a Cisco 7304 router using an NSE is forwarded using the RP path. Turbo Access Control Lists --A Turbo Access Control list is an access list that more expediently processes traffic by compiling the ACLs into a set of lookup tables while still maintaining the match requirements. PXF --Parallel eXpress Forwarding. One of two processing paths on a Cisco 7304 router using an NSE, with the Route Processor (RP) path being the other path. The PXF processing path is used to accelerate the performance for certain supported features.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||||||||||||||||||||