Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
15
Helpful
7
Replies

How Do Routers Handle Access Lists

Go to solution
WGL_BK
Level 1
Level 1

‎08-13-2020 09:07 AM

Hi, all. Just a quick basic question. I'm aware of how L3 switches handle standard and extended access lists, where the entries are used to populate the TCAM and multiple ACEs can be processed simultaneously. I'm not sure how routers carry out their processing of ACLs, or if they're handled in hardware as seen with a switch. Specifically 1941 and 4330 models, if there's any variation. I'm hoping someone can inform me or provide some documentation for me to educate myself. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to WGL_BK

‎08-13-2020 11:44 AM - edited ‎08-13-2020 11:47 AM

A device not supporting a SDM template doesn't insure there's not any TCAM. What the SDM does, is tell the device how you would like the TCAM resources allocated (among vendor allowed choices).

Again, how Cisco, for something like a 4331 actually/exactly does ACL processing, is likely considered proprietary, which if so, would very much explain why you cannot find any documentation on that.

The CPU would likely do some boolean operation(s) between the packet vs. the ACL. Again, if Cisco is clever, they might "optimize" how the comparison is actually done. For example, given:

access-list 10 deny host 192.168.1.0
access-list 10 deny host 192.168.1.1
access-list 10 deny host 192.168.1.2
access-list 10 deny host 192.168.1.3
access-list 10 deny host 192.168.1.4
access-list 10 deny host 192.168.1.5
access-list 10 deny host 192.168.1.6
access-list 10 deny host 192.168.1.7

There's eight ACEs, in the above ACL, but they can be done as one ACE, as:

access-list 10 deny 192.168.1.0 0.0.0.7

Doing one operation rather than eight, should be eight times faster. One question would be, is the IOS "smart enough" to automatically do just the one operation rather than the eight?

Or given:

access-list 10 deny host 192.168.1.2
access-list 10 deny host 192.168.1.3
access-list 10 deny host 192.168.1.4
access-list 10 deny host 192.168.1.5
access-list 10 deny host 192.168.1.6
access-list 10 deny host 192.168.1.7

This could be done as:

access-list 10 permit 192.168.1.0 0.0.0.1
access-list 10 deny 192.168.1.0 0.0.0.7

Two operations are better than six. Again, does the IOS figure this out?

Or course, you can (perhaps) optimize ACL processing, by providing the ACL with optimal ACEs.

That aside, as noted in my other post, what you would do would be compare the packet's source IP, with the information in the ACE.

For example, if packet had an source IP of 192.168.1.3, depending on the ACE you would logically compare that source IP with both the address and mask values in the ACE, determining if there's a match. A source IP of 192.168.1.3 would match host 192.168.1.3 or 192.168.1.0 0.0.0.7.

Understand, also, what boolean operations some hardware provides (to the CPU) can impact the actual "how" for some operations.

View solution in original post

7 Replies 7

Go to solution
WGL_BK
Level 1
Level 1
In response to balaji.bandi

‎08-13-2020 11:00 AM

Thank you, Balaji. I'll get to reading through this.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-13-2020 10:48 AM

Generally, on the smaller routers, everything is done by the main CPU, without hardware support. (Larger, or more powerful, routers [e.g. 7300 vs. 7200], have some additional hardware to accelerate some functions - some of the largest "routers" are/were really L3 switches, with more functions [e.g. 7600 vs. 6500].)

On those routers, doing everything in software, something like ACLs, might be done in some way to "optimize" how they are processed. Or, on some routers, starting with the 7200 series, they had an optional "compile" ACL function, which was supposed to greatly increase performance for long ACLs. (Much of such optimization is likely considered proprietary.)

Go to solution
WGL_BK
Level 1
Level 1
In response to Joseph W. Doherty

‎08-13-2020 10:59 AM

Ah, thank your for the explanation, Joseph. I was hoping to find exactly how the 4331 router did it, but I've had no luck thus far. Is it safe to assume that if there's no way to configure the SDM on a device, then that that device does not use hardware based TCAM?
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to WGL_BK

‎08-13-2020 11:44 AM - edited ‎08-13-2020 11:47 AM

A device not supporting a SDM template doesn't insure there's not any TCAM. What the SDM does, is tell the device how you would like the TCAM resources allocated (among vendor allowed choices).

Again, how Cisco, for something like a 4331 actually/exactly does ACL processing, is likely considered proprietary, which if so, would very much explain why you cannot find any documentation on that.

The CPU would likely do some boolean operation(s) between the packet vs. the ACL. Again, if Cisco is clever, they might "optimize" how the comparison is actually done. For example, given:

access-list 10 deny host 192.168.1.0
access-list 10 deny host 192.168.1.1
access-list 10 deny host 192.168.1.2
access-list 10 deny host 192.168.1.3
access-list 10 deny host 192.168.1.4
access-list 10 deny host 192.168.1.5
access-list 10 deny host 192.168.1.6
access-list 10 deny host 192.168.1.7

There's eight ACEs, in the above ACL, but they can be done as one ACE, as:

access-list 10 deny 192.168.1.0 0.0.0.7

Doing one operation rather than eight, should be eight times faster. One question would be, is the IOS "smart enough" to automatically do just the one operation rather than the eight?

Or given:

access-list 10 deny host 192.168.1.2
access-list 10 deny host 192.168.1.3
access-list 10 deny host 192.168.1.4
access-list 10 deny host 192.168.1.5
access-list 10 deny host 192.168.1.6
access-list 10 deny host 192.168.1.7

This could be done as:

access-list 10 permit 192.168.1.0 0.0.0.1
access-list 10 deny 192.168.1.0 0.0.0.7

Two operations are better than six. Again, does the IOS figure this out?

Or course, you can (perhaps) optimize ACL processing, by providing the ACL with optimal ACEs.

That aside, as noted in my other post, what you would do would be compare the packet's source IP, with the information in the ACE.

For example, if packet had an source IP of 192.168.1.3, depending on the ACE you would logically compare that source IP with both the address and mask values in the ACE, determining if there's a match. A source IP of 192.168.1.3 would match host 192.168.1.3 or 192.168.1.0 0.0.0.7.

Understand, also, what boolean operations some hardware provides (to the CPU) can impact the actual "how" for some operations.

Go to solution
WGL_BK
Level 1
Level 1
In response to Joseph W. Doherty

‎08-13-2020 12:02 PM

Thank you again, Joseph. You've been most helpful.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to WGL_BK

‎08-13-2020 12:43 PM - edited ‎08-13-2020 12:47 PM

Oh, my examples were simple, but the two boolean operators used, for actual matching packet's attributes (in my examples, just source IP address) against ACE are (I believe) the boolean And and Xor operators.

To see how the IOS, or you, could combine multiple ACEs into one, you might read: https://www.imedita.com/blog/wildcard-masks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card