cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2281
Views
0
Helpful
1
Replies

Question about LOU resources in Nexus 7K

j.dyer
Level 1
Level 1

I'm working with a customer to implement a Nexus 7k route/switch infrastructure for a datacenter as a migration path from a 6500 based infrastructure.   They make considerable use of access lists to segment and manage traffic access to/from different server networks. 

One of the things we want to make sure is that we don't have resource issues when converting over to the new infrastructure.  I'm having a hard time finding documentation on how the Nexus 7000 family stores and processes access lists, particularly those cases where ranges of ports are used.   The only thing I can find is in the security command reference it states that there are 104 LOUs total, and which operators use 1/2 LOU and that ranges = 1 LOU. 

To test it, we created three access lists, each one with 2 range port entries & a couple LT & a couple GT port entries.  When we applied the access list to interfaces, we took a look at resource utilization & it didn't show what we expected.  If each entry takes 1/2 or 1 LOU we would have expected about 10 LOUs used, we saw an increase of 2.

Is there any better documentation on how the resources are used -- or any document that compares/contrasts its use vs the 6500 family?

Thanks!
John

1 Accepted Solution

Accepted Solutions

Mike Pavlovich
Cisco Employee
Cisco Employee

I do not know of a detailed Nexus 7000 ACL doc outside of the config guide but here are some points that might help…


-If the same LOU (for example the 1/2 LOU used by "gt 10") is used in multiple different rules then the LOU is shared by all of them
-If the same 1/2 LOU (for example "gt 10") is used for a source and destination port then a full LOU is used, however, subsequent rules using the same LOU will share that LOU entry

So in your testing if you reused the same range, LT, & GT entries in your 3 test acls that might explain why you saw 2 LOUs used instead of the expected 10. Use "show hardware access-list resource utilization" to check the LOU utilization for each module as it may vary depending on whether a given ACL needs to be programmed in every module:

-Input RACLs are programmed only on the forwarding engines of those line cards having at least a member of the programming interface
-Egress policies are generally programmed to all the forwarding engines. However if the interface belongs to a VDC the egress policy are programmed only in linecards that have ports belonging to the corresponding VDC
-LOUs with same port operations can be globally shared even across VDC

Also note:

-by default the Nexus 7000 uses "atomic updates" to provide hitless acl hardware programing update due to a config change. Part of this process is to ensure that the acl is only applied to hardware once we check that it will fit.

-the "Session Manager" feature can be used to help manage acl deployments where resource usage is a concern.

See reference links below:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#con_1458461

-If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU.
For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
-Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port.
For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#concept_945210FB9986499285C6A00065105AC9

By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all pre-existing entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#con_1479325

Session Manager supports the configuration of IP and MAC ACLs. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 7000 Series NX-OS                       Security Configuration Guide, Release 5.x.

Mike

View solution in original post

1 Reply 1

Mike Pavlovich
Cisco Employee
Cisco Employee

I do not know of a detailed Nexus 7000 ACL doc outside of the config guide but here are some points that might help…


-If the same LOU (for example the 1/2 LOU used by "gt 10") is used in multiple different rules then the LOU is shared by all of them
-If the same 1/2 LOU (for example "gt 10") is used for a source and destination port then a full LOU is used, however, subsequent rules using the same LOU will share that LOU entry

So in your testing if you reused the same range, LT, & GT entries in your 3 test acls that might explain why you saw 2 LOUs used instead of the expected 10. Use "show hardware access-list resource utilization" to check the LOU utilization for each module as it may vary depending on whether a given ACL needs to be programmed in every module:

-Input RACLs are programmed only on the forwarding engines of those line cards having at least a member of the programming interface
-Egress policies are generally programmed to all the forwarding engines. However if the interface belongs to a VDC the egress policy are programmed only in linecards that have ports belonging to the corresponding VDC
-LOUs with same port operations can be globally shared even across VDC

Also note:

-by default the Nexus 7000 uses "atomic updates" to provide hitless acl hardware programing update due to a config change. Part of this process is to ensure that the acl is only applied to hardware once we check that it will fit.

-the "Session Manager" feature can be used to help manage acl deployments where resource usage is a concern.

See reference links below:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#con_1458461

-If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU.
For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
-Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port.
For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#concept_945210FB9986499285C6A00065105AC9

By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all pre-existing entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter14.html#con_1479325

Session Manager supports the configuration of IP and MAC ACLs. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 7000 Series NX-OS                       Security Configuration Guide, Release 5.x.

Mike

Review Cisco Networking for a $25 gift card