Solved: Re: Most frequently hit ACE on the top of ACL?

JaySu · ‎08-31-2019

Hi there,

I learned from CCNA that we had better put the most frequently hit ACEs on the top of the ACL to prevent unnecessary matching before hit. However, I read some material and found that TCAM is used for ACL matching. One of the advantage of CAM/TCAM is that they provide parallel searching. Does that mean we don't really need to put the most frequently hit ACEs on the top when the switch is equipped with TCAM for ACL?

Richard Burts · ‎09-01-2019

The advice to put the entry with the most hits at the top of the access list was based on the behavior of IOS routers which do a sequential search. As devices have gotten smarter and gotten more hardware assists, and especially as switches develop technology such as TCAM it becomes less important to have that entry at the top of the access list.

Having said that, I will say that I believe that it is still good advice to have the entry with the most hits at the top of the access list, especially if the access list is at all complicated. If that entry is first then you are sure that it will be executed. If that entry comes lower in the list then there is some possibility that an error in the logic of the access list might prevent that entry from executing.

HTH

Rick

HTH

Rick

View solution in original post

Joseph W. Doherty · ‎09-01-2019

Correct.

On such switches, the concern is running out of TCAM, i.e. insufficient resources to contain the whole ACL.

Richard Burts · ‎09-01-2019

The advice to put the entry with the most hits at the top of the access list was based on the behavior of IOS routers which do a sequential search. As devices have gotten smarter and gotten more hardware assists, and especially as switches develop technology such as TCAM it becomes less important to have that entry at the top of the access list.

Having said that, I will say that I believe that it is still good advice to have the entry with the most hits at the top of the access list, especially if the access list is at all complicated. If that entry is first then you are sure that it will be executed. If that entry comes lower in the list then there is some possibility that an error in the logic of the access list might prevent that entry from executing.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎09-02-2019

BTW, as Rick mentions routers, concerning them, some offered a feature known as Turbo ACLs. When that's enabled, it also mitigates the impact of large ACLs. (I.e., indirectly negating some of the advantage of placing ACEs with the highest match counts toward the top of the ACL.)

Also BTW, to clarify Rick mentioning having frequently "hit" ACEs at the top of the ACL, do understand he really means toward the top is also assuming doing so maintains your decision logic. I.e. you might not be able to order your ACEs in overall hit frequency while maintaining your decision logic. However, even when you cannot do that for your overall ACL, you can still often can order the most frequently matched ACEs in "groups".

JaySu · ‎09-01-2019

Thanks for your reply, Joseph and Rick.

Richard Burts · ‎09-01-2019

You are quite welcome. I am glad that our comments have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This has been an interesting discussion, especially in terms of thinking about the progression of devices with process switching/sequential search to devices with hardware assist/TCAM and how advice about arranging the order of access list entries has changed/not changed. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

HTH

Rick