topic extended acl - multiple ports on same acl line in Network Security

extended acl - multiple ports on same acl line

andrewswanson — Mon, 11 Mar 2019 22:35:38 GMT

hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line

e.g.

instead of:

ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443

i'd use:

ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443

its shortening the acl considerably but the question is:

does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?

thanks
andy

extended acl - multiple ports on same acl line

tpfrankli — Mon, 03 Mar 2014 17:37:38 GMT

Did you ever get an answer to this? I'm actualy curious about this as I'm using ACLs for QoS templates and this could greatly reduce the number of lines needed.

~~~
Rate helpful posts
Blog - http://tripplehelix.net

extended acl - multiple ports on same acl line

andrewswanson — Mon, 03 Mar 2014 18:38:03 GMT

Hello

No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:

Cisco3750#show platform tcam utilization

CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values

IPv4 security aces: 1024/1024 33/33

Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization

As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.

thanks

Andy