 Feedback
|
Table Of Contents
Access List Performance Improvements for Cisco 12000 Gigabit Switch Routers
Hardware ACL Acceleration on Engine 1 Line Cards
ACL Performance Improvement on Engine 2 Line Cards
Configure ACL Performance Improvement on Engine 1-type Line Cards
Configure ACL Performance Improvement on Engine 2-type Line Cards
Verifying ACL Performance Improvement Configuration on Engine 1 Line Cards
Monitoring and Maintaining ACL Performance Improvements
Gigabit Ethernet Line Card (Engine 1)
QOC-12 ATM Line Card (Engine 2)
Access List Performance Improvements for Cisco 12000 Gigabit Switch Routers
Feature Overview
Access list (ACL) performance improvements are provided for two types of Cisco 12000 line cards:
•
Line cards using engine 1 architecture
•
The ACL performance improvement is implemented in a slightly different way depending on the line card type. Engine 1 line cards achieve ACL performance improvement strictly through hardware, using an improved ASIC design. Engine 2 line cards use a microcode enhancement in the packet switch ASIC (PSA) . lists the line cards and the ACL performance improvement type.
Benefits
ACL performance improvement requires separate solutions for the two line card types.
Hardware ACL Acceleration on Engine 1 Line Cards
Prior to hardware ACL acceleration, access lists were processed by the line card CPU. Access list processing occurred one entry at a time. In other words, the entire access list must be scanned one line at a time for each incoming packet. List processing performance is proportional to the number of ACL entries in the list. As access list size increases, performance degrades.
The first level of improvement was to add compiled ACL support for the line cards. Compiled ACLs rely on a compiled access list, and use lookup tables in the software to improve overall ACL processing speed. No special hardware improvements are required to support compiled ACLs. However, compiled ACLs still rely on CPU processing and can affect performance.
Implementing ACL processing in the hardware (the SALSA ASIC) increases packet switching performance. On engine 1 line cards, the line card CPU is no longer burdened with ACL processing.
ACL Performance Improvement on Engine 2 Line Cards
The situation is different for engine 2 line cards. Instead of being implemented directly in the ASIC design, engine 2 line cards rely on microcode for the PSA to achieve ACL performance improvement.
While engine 2 line cards perform very high speed forwarding by using a combination of microcode and hardware lookups, the line cards cannot apply ACLs because the line card CPU is not involved in packet forwarding path. Without the microcode enhancements in the PSA, access lists are not applied at all.
Restrictions
ACL performance improvement for engine 1 line cards is subject to the following restrictions:
•
•
•
ACL performance improvement for engine 2 line cards is subject to the following restrictions. If these limitations are not met, packets are not processed by the PSA microcode. Instead, they are processed by the line card CPU:
•
•
•
•
•
•
•
•
•
•
•
•
Platforms
This feature is supported on the following Cisco 12000 series routers:
•
•
•
This feature is supported on the following Cisco 12000 line cards (see ):
•
•
Prerequisites
You must be running Cisco IOS Release 12.0(10)S or a later version of Cisco IOS Release 12.0 S.
Supported MIBs and RFCs
None.
Configuration Tasks
Perform the following tasks to configure ACL performance improvement on an interface:
•
•
Configure ACL Performance Improvement on Engine 1-type Line Cards
To configure ACL performance improvement on an engine 1 line card, perform the following task in global configuration mode:
1
Enables ACL performance improvement on all engine 1 line cards.
Configure ACL Performance Improvement on Engine 2-type Line Cards
To configure ACL performance improvement on an engine 2 line card and enable ACL on input and output interfaces, perform the following task in global configuration mode:
1
Enables ACL performance improvement and ACL output processing on all engine 2 line cards.
Verifying ACL Performance Improvement Configuration on Engine 1 Line Cards
Use the following execute on slot EXEC commands to view and verify the performance improvement operations on engine 1-type line cards:
•
If the output shows Revision number (Rev) 4, or greater, the linecard has the Rev 4 SALSA ASIC and supports ACL performance improvement.
•
This command shows which fields in the TCP/IP header are used for hashing and the average number of nodes for typical types of traffic (for example, TCP, WWW, UDP).
The displayed Rev 4 SALSA ACL hardware lookup registers include Config register, which shows whether Rev 4 SALSA ACL is enabled.
The per packet registers show details of the ACL node visited by the last packet and the number of nodes traversed by the ACL hardware for the ACL lookup.
The Rev 4 SALSA ACL counters display the number of packets with and without errors. These counters are cleared by the clear access-list counters on the linecard.
•
For each entry in the hash table, this shows the ACL tree of nodes. All nodes in successive match branch in the ACL tree are consecutively displayed. At the end of the match branch (STOP node), it recursively displays all the nodes in the miss branch of the starting node. It also shows the total number of ACL nodes and the current allocated nodes.
Use this command sparingly for large ACLs (100+ lines) because of the large number of nodes displayed when used with execute on slot slot-number.
To display a single entry in the ACL hash table—for example, by looking at a given packet and choosing bits in the TCP/IP header based on the ACL hash bits in show access-list hardware— use the following command:
execute on slot slot show access-list hardware port-number detail index index-val
•
This command displays the ACL hardware register, status and counters as in "show access-list hardware port-number" and also error details such as ACL node and timestamp, that will show the history/log of errors.
•
This command displays the ACL state and additional details for engine 2-type line cards.
Monitoring and Maintaining ACL Performance Improvements
Router# execute on slot slot clear access-list countersClears the ACL hardware counters.
Configuration Examples
This section provides the following configuration examples:
•
•
Gigabit Ethernet Line Card (Engine 1)
The following configuration example shows how to enable ACL performance improvements on all Gigabit Ethernet line cards (engine 1) in a GSR:
access-list hardware salsaQOC-12 ATM Line Card (Engine 2)
The following configuration example shows how to enable ACL performance improvements on all QOC-12 ATM line cards (engine 2) in a GSR:
access-list hardware psa
Note
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
access-list hardware
To configure line cards in a Cisco 12000 GSR to use access list (ACL) performance improvements, use the access-list hardware global configuration command. Use the no form of this command to disable ACL performance improvements
[no] access-list hardware {salsa | psa }
Syntax Description
salsa
Enables ACL performance improvements on engine 1 line cards.
psa
Enables ACL performance improvements on engine 2 line cards.
Defaults
No default behavior or values.
Command Modes
Global
Command History
Usage Guidelines
You must use this command to enable the ACL performance enhancements on the engine 1 or engine 2 line cards. lists the line cards and the ACL performance improvement type. Using this command has no effect when non-supported line cards are installed in the GSR.
Note
Examples
The following example enables ACL performance improvements on all Gigabit Ethernet line cards (engine 1-type) in a GSR:
access-list hardware salsaRelated Commands
None
show access-list psa summary
To display the state of the ACL and list summary information on engine 2-type line cards in a Cisco 12000 GSR, use the show access-list psa summary line card command.
show access-list psa summary
Syntax Description
None
Defaults
No default behavior or values.
Command Modes
Line card
Command History
Usage Guidelines
Use the execute on slot EXEC command to selet which line card will run the show access-list psa summary command.
Examples
The following example displays PSA ACL information for an engine 2-type line card in a GSR:
router# execute on 4 show access-list psa summaryPSA ACL Configured:yes, Running:yesAccess list limits:4 ingress, 5 egress (max 128 lines each)ACL in microcode configured in input direction (Input ACL microcode loaded)Input interface:0 1 2 3ACL total lines:1 0 0 0Lines on cpu: 0 0 0 0Access List : 150 - - -Run state: mic off off offTotal ACL memory allocated. PLU:5120 KBytes TLU:16 KBytes SRAM:8 KBytesMtrie prefixes with access lists. Src:1 Dst :2TLU memory used for prefixes:0 KbytesACL Timing StatisticsList Changes:1 Average Time taken:492.0msInput Interface Changes:0Output Interface Changes:0Times microcode loaded. ACL:1 Other:0Related Commands
None
Debug Commands
This section documents new or modified debug commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
•
debug ip access-list hardware
To display debug messages for the ACL hash table and the number of nodes for each ACL line, use the debug ip access-list hardware privileged EXEC command. Use the no form of the command to disable debugging output.
[no] debug ip access-list hardware
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging for IP access hardware is not enabled.
Command History
Usage Guidelines
This command is for engine 1 line cards only.
Examples
The following example shows output when a hash table is built and you use the debug ip access-list hardware command.
example to be suppliedRelated Commands
debug ip access-list detail
Displays debug messages for every node in the ACL hash table.
debug ip access-list lookup
Displays debug messages on a per packet basis.
debug ip access-list detail
To display debug messages for the every node for each ACL line in the hash table, use the debug ip access-list detail privileged EXEC command. Use the no form of the command to disable debugging output.
[no] debug ip access-list detail
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging for IP access hardware is not enabled.
Command History
Usage Guidelines
This command is for engine 1 line cards only.
Examples
The following example shows output when a hash table is built and you use the debug ip access-list detail command.
example to be suppliedRelated Commands
debug ip access-list hardware
Displays debug messages for the ACL hash table.
debug ip access-list lookup
Displays debug messages on a per-packet basis
debug ip access-list lookup
To display debug messages for the every node for each ACL line in the hash table, use the debug ip access-list lookup privileged EXEC command. Use the no form of the command to disable debugging output.
[no] debug ip access-list lookup
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging for IP access hardware is not enabled.
Command History
Usage Guidelines
This command is for engine 1 line cards only.
Examples
The following example shows output when a hash table is built and you use the debug ip access-list lookup command.
example to be suppliedRelated Commands
debug ip access-list hardware
Displays debug messages for the ACL hash table.
debug ip access-list detail
Displays debug messages on a per-packet basis
