Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. foundry
Using outbound ACLs on JetCore modules
devon at noved
Mar 2, 2004, 4:23 PM
Post #1 of 2 (757 views)
Permalink
All:

We have recently switched from IronCore to JetCore modules. Back when we
were running IronCore, it was advised that we try to use only inbound
ACLs and not outbound ACLs as outbound ACLs placed more work on the box.
(I vaguely remember the person explaining to me that an outbound ACL
basically made an inbound ACL on all interfaces)

Is this still the case with JetCore? Or was I misled in the first place?

Devon
Using outbound ACLs on JetCore modules [ In reply to ]
devon at noved
Mar 2, 2004, 5:28 PM
Post #2 of 2 (712 views)
Permalink
All:

Follow-up to myself in-case anyone searching the foundry-nsp archives is
curious about this issue. :) A couple of people sent me emails privately.

----------

That was the case with ironcore. (at least, I heard the same story as
you).

It was also the case with jetcore and was supposedly fixed in the early
parts of the 7.6.3 train and later.

I havent tested it though.

----------

Hello,

With Jetcore outbound ACL's are copied to inbound ACL's on all other
ports so the use a lot more CAM space.

I believe the IronCore chipset hasn't this disadvantage. On the other
hand, ACL's on Jetcore are wirespeed

----------

I looked at the release notes for the various software releases and
found this entry in the 7.6.01 release notes:

"CPU Processing for Outbound ACLs Applies Only to a Traffic Flow Whose
Destination Address Matches an ACL Entry

NOTE: This enhancement applies to flow-based ACLs and hardware-based
ACLs on Layer 3 Switches. The enhancement does not apply to Layer 2
Switches.

In previous releases, if you applied an outbound ACL to an interface,
the device sent all inbound traffic to the CPU for processing, before
forwarding the traffic to the outbound interfaces. In 07.6.01, if an
interface has an outbound ACL, the device sends traffic that needs to be
forwarded out that interface to the CPU for processing only if the
packet?s destination IP address matches the destination address in an
outbound ACL on the interface. Otherwise, the traffic can be forwarded
in hardware."

I am still curious to know if anyone has applied outbound ACLs on
Jetcore modules running software >=7.6.01 and seen any CPU/CAM problems.

Devon

Devon wrote:
> All:
>
> We have recently switched from IronCore to JetCore modules. Back when we
> were running IronCore, it was advised that we try to use only inbound
> ACLs and not outbound ACLs as outbound ACLs placed more work on the box.
> (I vaguely remember the person explaining to me that an outbound ACL
> basically made an inbound ACL on all interfaces)
>
> Is this still the case with JetCore? Or was I misled in the first place?
>
> Devon
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal