extended acl - multiple ports on same acl line

andrewswanson · ‎02-27-2012

hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line

e.g.

instead of:

ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443

i'd use:

ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443

its shortening the acl considerably but the question is:

does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?

thanks
andy

tpfrankli · ‎03-03-2014

Did you ever get an answer to this? I'm actualy curious about this as I'm using ACLs for QoS templates and this could greatly reduce the number of lines needed.

~~~
Rate helpful posts
Blog - http://tripplehelix.net

~~~ Rate helpful posts Blog - http://tripplehelix.net

andrewswanson · ‎03-03-2014

Hello

No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:

Cisco3750#show platform tcam utilization

CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values

..

IPv4 security aces: 1024/1024 33/33

Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization

As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.

thanks

Andy