cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
3
Helpful
8
Replies

What switchng method allows pkts hitting an ACL to NOT be process switched?

jkeeffe
Level 2
Level 2
8 Replies 8

wolfrikk
Level 3
Level 3

using the ip route-cache command will enable fast switching and disable process switching, but that applies to everything, not just the ACL.

Thanks. So to be clear, any interface that has fast switching enabled, and has an ACL applied to it, will fast switch all packets?

Does this pertain to in-bound as well as out-bount ACLs?

This process is independent of ACL's. The router will run the packet through the ACL until it makes a match in the ACL, or it drops the packet. If the packet passes the ACL to be routed, if Fast switching is turned on, the router looks in the IP Route Cache to see if there is a Cached Route. If there is, it sends the packet using that route. If Fast Switching is disabled, the Router will process Switch each packet. I hope that clears things up. Let me know if is doesn't.

Thanks for the explanation. I was confused because I remember being told that originally ALL packets that hit an ACL were process switched no matter what switching method was being used.

I don't believe that applies to Fast Switching. There are some other switching types used on some of the higher end routers that work differently. Some of the other switching modes have their own processor, so if there is a cached route, it never hits the main router processor. I will have to check further, but I am pretty sure that packets the go through ACL's can be process or fast switched.

If you could do a little checking just to make sure I'd appreciate it.

scottmac
Level 10
Level 10

Just for the sake of getting it out on the table...

EVERY new flow - regardless of content, ACL, filters, etc - will hit the processor the first time through. It has to be "looked at" at least once to see all the who's, where's, and when's ...

You may be looking for something like MLS (Multi-Layer Switching). Using either an on-board router, or external router (specific models of routers and switches are required) the flow is examined the first time by process switching, if the (user-defined) traffic threshold is crossed, the flow is cached (in the switch) and fast-switched. You can define several levels from "anything from point A to Point B" down to "this specific application, from this specific source, going to this specific destination using this specific port (etc) ..."

Run a search on MLS, I'm pretty sure this is what you're looking for ...

Good Luck

Scott

I agree with Scott. Some ASIC hardware will take load / CPU interupts away from the main CPU - your goal. Be aware that the "route once, switch many" switching method with ACLs can leave holes in your security if not done correctly. For example, you may deny www and allow telnet on a particular ACL source to destination. Once a telnet cache is created, the user could use www without being checked.

What is your hardware setup?

Nic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco