Upload
vuongphuc
View
331
Download
7
Embed Size (px)
Citation preview
ASR 9000 New Scale Features – Flexible CLI & Scale ACL's
BRKARC-3003
David Pothier - Enterprise Architect, Advanced Services [email protected]
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Before we begin . . .
ASR 9000 Features - Prior knowledge of ASR 9000 helpful but not required (quick poll)
Please ask questions – raise your hand
May defer network specific questions
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Overview
• Cisco ASR 9000 Series Aggregation Services Routers are the foundation for next-generation Carrier Ethernet networks
• Deploying nV (Network Virtualization) features to optimize service delivery
– nV Satellite
– nV Edge (Cluster)
– VSM (Virtualized Service Model)
• 100Gb End-to-End Solutions
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Models
7
ASR 9000v ASR 9001 ASR 9904 ASR 9006 ASR 9010 ASR 9912 ASR 9922
RP None Built-in 1+1 RSP 1+1 RSP 1+1 RSP 1+1 RP 1+1 RP
Fabric None Built-in 2x RSP 2x RSP 2x RSP 6+1 6+1
Line cards &
ports 4x SFP+
44x SFP
4x SFP+
2x MPA 2 4 8 10 20
Rack units 1 2 6 10 21 30 44
Power modules 1x AC or 2x DC 2x AC or 2x DC 4x AC or 4x DC 4x AC or 4x DC 8x AC or 8x DC 12x AC or 12x DC 16x AC or 16x DC
Air flow Right to left Right to left Right to left Right to back Front to back Front to back Front to back
ASR901/903
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
NP0 PHY
NP2 PHY
NP3 PHY
NP1 PHY FIA0
CPU
B0
B1
3x 10G 3x10GE
SFP +
3x10GE
SFP +
NP0
NP1 3x 10G
3x 10G 3x10GE
SFP +
3x10GE
SFP +
NP2
NP3 3x 10G
3x 10G 3x10GE
SFP +
3x10GE
SFP +
NP4
NP5 3x 10G
3x 10G 3x10GE
SFP +
3x10GE
SFP +
NP6
NP7 3x 10G FIA3
FIA2
FIA1
FIA0
Sw
itch
Fa
bric
AS
IC
CPU
RSP 3 Switch
Fabric
Switch Fabric
RSP0
Switch Fabric
RSP1
A9K-4T
8x55G
4x23G
ASR9K Line Card Architecture Overview
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Aggregation Node
Aggregation Network MPLS/IP
Carrier Ethernet Aggregation Access Edge
Aggregation Node
Aggregation Node
STB
VoD
Content Network
TV SIP
PON Node
DSLNode
VoD
Content Network
TV SIP
Multiservice Core
Core Network
IP / MPLS
Distribution Node
Corporate Business
Residential
STB
Residential
Aggregation Node
Distribution Node
Mobile
2G/3G/4G Node RAN Access
Network
MPLS/IP
Corporate
Business
Carrier Ethernet Network
9
EoMPLS
VPLS
nV
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
What’s ASR 9000 nV Edge System ?
10
Leverage existing IOS-XR
CRS multi-chassis SW
infrastructure
Simplified/Enhanced for
ASR 9000 nV Edge
Single control plane, single management plane, fully distributed
Super, Simple network resiliency, and extensible node
ASR 9000 nV Edge
CRS Multi-Chassis
Fabric
chassis
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Flexible CLI Overview
12
• What problem are we solving ?
• Supported Platforms
• Phased Implementation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Flexible CLI Overview
Problem Statement
• IOS XR platforms’ features continue to grow
• Running configurations have grown significantly (mid-to-high end platforms)
High level goals
• reduce config complexity and size
• reduce operational errors & misconfigurations
• reduce repetition configurations
13
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Flexible CLI Overview
Supported on IOS XR Platforms
• ASR9K & CRS
• XR12K is not supported
• Original target platform was ASR9K, CRS was added per customer
requests
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Flexible CLI Overview
Phased Implementation
• Phase I 4.3.1 FlexCLI Feature introduced
• Phase II 5.1.1 Additional FlexCLI features
15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
• IOS XR config is stored in a binary database that looks like a tree
• some configurations often have the same entries/values repeated
router ospf 10
area 0
int TenGigE0/1/0/0
int TenGigE0/1/0/1
int TenGigE0/1/0/2
int HundredGig 0/0/0/0
mtu 9000
Cost 1000
Cost 1000
Cost 1000
int HundredGig 0/0/0/1
mtu 9000
IOS XR System Configuration Database
16
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
IOS XR Flexible CLI Overview Configuration Groups
FlexCLI uses a config-group concept where it is a sub tree config that:
• is syntactically correct / validated
• is fully defined (i.e. starts from the root)
• can be applied at arbitrary levels of the config (sub modes)
• can use regular expressions
• automatic inheritance in hierarchical fashion
17
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
• Same tree which would contain regular expression
router ospf
area ‘.*’
int ‘TenGigE0/1/0/0’
int ‘TenGigE0/1/0/1’
int ‘TenGigE0/1/0/2’
int ‘HundredGiG.*’
mtu 9000
Cost 1000
Cost 1000
cost 1000
IOS XR Flexible CLI Overview
18
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
config t
group <group name>
config commands
end-group
config t
interface tengig 0/0/0/0
apply-group <group name>
commit
IOS XR Flexible CLI – Configuration and Use cases New CLI (group, end-group, apply-group Phase I - 4.3.1)
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
• show running-config group <group-name>
• show running-config inheritance interface r/s/m/p
• inheritance – config groups can be applied at different levels of hierarchy. Therefore “inheritance” of group configuration, can also happen at different levels of the configuration.
• inheritance can be overridden, by local CLI commands, at the lowest submode
IOS XR Flexible CLI – Configuration and Use cases New CLI (show commands Phase I - 4.3.1)
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
RP/0/RSP0/CPU0:ASR9K#show run group GigCE
group GigCE
interface 'GigabitEthernet.*'
mtu 1526
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1
interface GigabitEthernet0/1/0/1
apply-group GigCE
RP/0/RSP0/CPU0:ASR9K#show run inheritance interface GigabitEthernet0/1/0/1
interface GigabitEthernet0/1/0/1
## Inherited from group GigCE
mtu 1526
RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU
MTU 1526 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)
1)configure a group
2)apply the group
3)show run inheritance
4)MTU is inherited
IOS XR Flexible CLI – Configuration and Use cases Example: basic
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
RP/0/RSP0/CPU0:ASR9K#show run group GigCE
group GigCE
interface 'GigabitEthernet.*'
mtu 1526
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1
interface GigabitEthernet0/1/0/1
apply-group GigCE
mtu 1518
RP/0/RSP0/CPU0:ASR9K#show run inheritance interface GigabitEthernet0/1/0/1
interface GigabitEthernet0/1/0/1
mtu 1518
RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU
MTU 1518 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)
1)configure a group
2)apply the group
configure diff. MTU
3)show run inheritance
4)MTU is not inherited
overridden at interface
IOS XR Flexible CLI – Configuration and Use cases Example: local config overrides inheritance config
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
“up and right” is the rule…
• lowest (most specific) config takes precedence within any level,
• first group applied takes precedence
in the following example:
“ONE” has the highest priority
“SEVEN” has the lowest…
apply-group SIX SEVEN
router ospf 0
apply-group FOUR FIVE
area 0
apply-group THREE
interface GigabitEthernet0/0/0/0
apply-group ONE TWO
IOS XR Flexible CLI – Configuration and Use cases New CLI: multiple groups can be applied
24
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
“up and right” is the rule…
• lowest (most specific) config takes precedence within any level,
• first group applied takes precedence
interface GigabitEthernet0/1/0/1
apply-group GigCE-1526 GigCE-1400
mtu 1518
what is the MTU ?
interface GigabitEthernet0/1/0/1
apply-group GigCE-1526 GigCE-1400
what is the MTU ?
group GigCE-1526
interface
'GigabitEthernet.*'
mtu 1526
end-group
group GigCE-1400
interface
'GigabitEthernet.*'
mtu 1400
end-group
A
B
IOS XR Flexible CLI – Configuration and Use cases New CLI (multiple groups can be applied)
25
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
• Interface parameters
• Routing instance parameters
• MPLS-TE interface parameters
• L2VPN interface parameters
IOS XR Flexible CLI – Configuration and Use cases Common use cases:
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group 10GE-intf-bundle interface 'TenGigE0/2/0/.*' lacp period short load-interval 30 transceiver permit pid all end-group
interface TenGigE0/2/0/14
apply-group 10GE-intf-bundle
bundle id 200 mode active
RP/0/RSP0/CPU0:ASR9K#show run interface TenGigE0/2/0/14 inheritance detail
interface TenGigE0/2/0/14
bundle id 200 mode active
## Inherited from group 10GE-intf-bundle
lacp period short
## Inherited from group 10GE-intf-bundle
load-interval 30
## Inherited from group 10GE-intf-bundle
transceiver permit pid all
IOS XR Flexible CLI – Configuration and Use cases Common use cases: Interface parameters
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group 10GE-Bundle interface 'Bundle-Ether.*' mtu 9216 ipv4 mtu 9000 ipv4 point-to-point ipv6 mtu 9000 load-interval 60 end-group
interface Bundle-Ether200
apply-group 10GE-Bundle
ipv4 address 10.1.1.1/24
RP/0/RSP0/CPU0:ASR9K#show run interface bundle-ether 200 inheritance detail
interface Bundle-Ether200
## Inherited from group 10GE-Bundle
mtu 9216
## Inherited from group 10GE-Bundle
ipv4 mtu 9000
## Inherited from group 10GE-Bundle
ipv4 point-to-point
ipv4 address 192.192.1.25 255.255.255.0
## Inherited from group 10GE-Bundle
ipv6 mtu 9000
## Inherited from group 10GE-Bundle
load-interval 60
IOS XR Flexible CLI – Configuration and Use cases Common use cases: Interface parameters
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group ISIS router isis 'Core1' interface 'Bundle-Ether.*' circuit-type level-2-only point-to-point hello-password keychain secure-isis address-family ipv4 unicast metric 500 end-group
router isis Core1 set-overload-bit on-startup wait-for-bgp level 2 is-type level-2-only net 49.0005.0049.1997.0000.1002.00 nsf ietf log adjacency changes address-family ipv4 unicast metric-style wide level 2 metric 10 maximum-paths 32 ! interface Bundle-Ether200 apply-group ISIS
RP/0/RSP0/CPU0:ASR9K#show run router isis Core1 inheritance detail
router isis Core1
set-overload-bit on-startup wait-for-bgp level 2
<snip>
interface Bundle-Ether200
## Inherited from group ISIS
circuit-type level-2-only
## Inherited from group ISIS
point-to-point
## Inherited from group ISIS
hello-password keychain secure-isis
## Inherited from group ISIS
address-family ipv4 unicast
## Inherited from group ISIS
metric 500
IOS XR Flexible CLI – Configuration and Use cases Common use cases: Routing Instance parameters
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group TUNNEL interface 'tunnel-te.*' ipv4 unnumbered Loopback0 load-interval 30 logging events lsp-status reoptimize logging events lsp-status state logging events lsp-status reroute logging events lsp-status insufficient-bandwidth autoroute announce ! fast-reroute path-protection logging events link-status ! end-group
interface tunnel-te1000
apply-group TUNNEL
description DC EAST-WEST Northbound
path-option 10 dynamic attribute-set EAST protected-by 20
path-option 20 dynamic attribute-set WEST protected-by 10
path-option 30 dynamic attribute-set CORE
RP/0/RSP0/CPU0:ASR9K#show run inter tunnel-te1000 inheritance detail
interface tunnel-te1000
description DC EAST-WEST Northbound
## Inherited from group TUNNEL
ipv4 unnumbered Loopback0
## Inherited from group TUNNEL
load-interval 30
## Inherited from group TUNNEL
logging events lsp-status reoptimize
## Inherited from group TUNNEL
logging events lsp-status state
## Inherited from group TUNNEL
logging events lsp-status reroute
## Inherited from group TUNNEL
logging events lsp-status insufficient-bandwidth
## Inherited from group TUNNEL
autoroute announce
!
## Inherited from group TUNNEL
fast-reroute
## Inherited from group TUNNEL
path-protection
path-option 10 dynamic attribute-set EAST protected-by 20
path-option 20 dynamic attribute-set WEST protected-by 10
path-option 30 dynamic attribute-set CORE
## Inherited from group TUNNEL
logging events link-status
IOS XR Flexible CLI – Configuration and Use cases Common use cases: MPLS-TE interfaces
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group l2vpn l2vpn pw-class 'test' encapsulation mpls ipv4 source 1.2.3.4 ! ! ! end-group end
l2vpn
pw-class test
apply-group l2vpn
!
!
RP/0/RSP0/CPU0:ASR9K#show run inheritance l2vpn
l2vpn
pw-class test
## Inherited from group l2vpn
encapsulation mpls
## Inherited from group l2vpn
ipv4 source 1.2.3.4
!
!
!
IOS XR Flexible CLI – Configuration and Use cases Common use cases: L2VPN
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
group test1 interface 'TenGig.*' description flexcli test ! interface 'TenGig.*\..*' l2transport rewrite ingress tag pop 1 symmetric mtu 1518 ! end-group
RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10
interface TenGigE0/2/0/10
apply-group test1
cdp
ipv4 address 12.0.1.3 255.0.0.0
!
RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10.100
interface TenGigE0/2/0/10.100 l2transport
apply-group test1
encapsulation dot1q 100
RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10 inheritance detail
interface TenGigE0/2/0/10
## Inherited from group test1
description flexcli test
ipv4 address 12.0.1.3 255.0.0.0
!
RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10.100 inheritance detail
interface TenGigE0/2/0/10.100 l2transport
encapsulation dot1q 100
## Inherited from group test1
rewrite ingress tag pop 1 symmetric
## Inherited from group test1
mtu 1518
IOS XR Flexible CLI – Configuration and Use cases Common use cases: L2VPN
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR9K/CRS/NCS – Internet Usage
33
1 billion – PSY’s Gangnam Style video became the first online video to reach 1 billion views and achieved it in just 5 months.
http://www.guinnessworldrecords.com/news/2012/9/gangnam-style-now-most-liked-video-in-youtube-history-44977/
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public 34
Data Traffic Reference • 1 Byte: A single character (1)
• 1 Kilobyte: Half a typewritten page (1,024 bytes)
• 1 Megabyte: A short novel (1024 kilobytes)
• 1 Gigabyte: A movie at TV quality (1024 megabytes)
• 1 Terabyte: About half the content of an academic research library (10 terabytes: the printed
collection of the US Library of Congress). (1 trillion bytes)
• 1 Petabyte: About half the content of all U.S. academic research libraries (1 million gigabytes)
• 5 Exabytes: All words ever spoken by human beings. (5 billion gigabytes)
• 1 Zettabyte: About half of the information sent through broadcast technology (such as TV and
GPS) in 2007. (1 trillion gigabytes)
• Yottabyte (1 000 000 000 000 000 000 000 000 Bytes). Named after Yoda.
• Xenottabytes (1 000 000 000 000 000 000 000 000 000 Bytes)
• Shilentnobytes (1 000 000 000 000 000 000 000 000 000 000 Bytes)
• Domegemegrottebytes (1 000 000 000 000 000 000 000 000 000 000 000 Bytes).
• Icosebyte (1 000 000 000 000 000 000 000 000 000 000 000 000 Bytes).
• Monoicosebyte (1,000,000,000,000,000,000,000,000,000,000,000,000,000 Bytes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 ACL’s before Scale ACL feature:
• TCAM based architectures to perform ACL classification for security &
filtering ACL’s and ACL based QoS classification
• TCAM based implementations offer extremely high speed and
deterministic lookups, but are poorly suited for very large rule sets
• Repetition of rules in similar ACE’s.
• Large TCAM space requirements in scaled scenario’s
ASR 9000 IOS XR Scale ACL Overview
36
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
TCAM based ACL’s:
• Essentially custom memory that takes a lookup key and mask, and
returns a result. (TCAM “rule” or “Value Mask Result”)
ASR 9000 IOS XR Scale ACL Overview
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
ASR 9000 Scale ACL Configuration improvements:
• Easier and friendlier to use “sets” of objects when building rules....
– This: – Set A = (j,k,l,m) Set B = (w,x,y,z)
– permit ipv4 (set A) (set B)
– Is easier on the eyes than this: – permit host j host w
– permit host k host w
– permit host l host w
– permit host m host w
– permit host j host x
– permit host k host x
– And so on... (4x4 would be 16 rules... Imagine 100x400x20!)
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL Object-group's
• As we talk about “object-groups” on the next slides – think of them analogous to creating a prefix-set, which an IOS XR RPL route-policy then calls into function within the route policy
• ACL’s will call into function various “object groups”
39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL Object-group CLI
• Network groups to define a set of prefixes
– Prefixes, hosts, range of prefixes,
– Nested groups
• Port groups to define a set of ports • Port entries, and operators
• Nested groups
– Supported for both IPv4 and IPv6
– ACE entries in an ACL support both specifying object group names and individual traditional entries
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL Configuration CLI
1) Create an object-group (either network or port, or both)
2) Create the access-list
3) Enter the ACL permit or deny entries, using net-group or port-group syntax
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL Configuration Example:
42
object-group network ipv4 SRC_1
10.10.1.0/24
host 10.10.1.100
ipv4 access-list scale
10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1
object-group network ipv4 DEST_1
30.30.0.0/16
host 30.30.1.100
object-group port PORT_1
eq telnet
range 1024 65535
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL Configuration Example:
43
Current CLI new Scale object-group CLI
ipv4 access-list acl1
10 permit tcp host 1.1.1.1 host 10.10.10.1 eq ftp
20 permit tcp host 1.1.1.2 host 10.10.10.1 eq ftp
30 permit tcp host 1.1.1.3 host 10.10.10.1 eq ftp
40 permit tcp host 1.1.1.1 host 10.10.10.1 eq domain
50 permit tcp host 1.1.1.2 host 10.10.10.1 eq domain
60 permit tcp host 1.1.1.3 host 10.10.10.1 eq domain
70 permit tcp host 1.1.1.1 host 10.10.10.1 lt 1024
80 permit tcp host 1.1.1.2 host 10.10.10.1 lt 1024
90 permit tcp host 1.1.1.3 host 10.10.10.1 lt 1024
100 permit tcp host 1.1.1.1 host 10.10.10.1 range 2400 2500
110 permit tcp host 1.1.1.2 host 10.10.10.1 range 2400 2500
120 permit tcp host 1.1.1.3 host 10.10.10.1 range 2400 2500
!
object-group network ipv4 site-east
1.1.1.1/32
1.1.1.2/32
1.1.1.3/32
!
object-group port site-west-portgroup1
eq ftp
eq domain
lt 1024
range 2400 2500
!
ipv4 access-list acl1
10 permit tcp net-group site-east host 10.10.10.1
port-group site-west-portgroup1
!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL CLI syntax RP/0/RSP0/CPU0:ASR9K(config)#object-group network ipv4 <name> ? A.B.C.D/length IPv4 address/prefix description Description for the object group host A single host address object-group Nested object group range Range of host addresses <cr> RP/0/RSP0/CPU0:ASR9K(config)#object-group port test ? description description for the object group eq Match packets on ports equal to entered port number gt Match packets on ports greater than entered port number lt Match packets on ports less than entered port number neq Match packets on ports not equal to entered port number object-group nested object group range Match only packets on a given port range <cr>
ACE syntax
{ipv4 | ipv6} access-list <name> 10 permit tcp net-group <name> net-group <name> port-group <name> [options]
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL CLI syntax • Hybrid mode ACE lines are allowed.
• For example: can use object-group in source field, and individual address/prefix in destination field.
• Can have ACEs with object group and ACEs without object groups in the same ACL
ipv4 access-list scale
10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1
20 permit icmp 10.10.1.0/24 host 192.168.1.100 echo
30 permit icmp 10.10.1.0/24 host 192.168.10.100 echo
45
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL - Compression
• Can apply ACL on interface with a choice to select compression level in HW
• Compression level translates to which fields from (src,dst, src port, dest port) should be programmed in TCAM in compressed format.
• More compression means less TCAM space, but extra lookups in NP. This is a trade off between TCAM memory usage versus line rate performance.
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL - Compression
• Config option to enable compressed format on per interface basis.
• 3 levels of compression supported (0,1,3) with 3 being the best compression & scale capabilities but the worst NP performance hit
• Can support only one compression mode of an ACL on a given LC
– Once an ACL is applied with a compression level on an interface, it can be applied with the same compression level on other interfaces on same LC.
– you cannot mix different compression levels on the same LC
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL - Compression
• There are 3 available compression levels for a scaled ACL.
• level 0 simply expands the object groups and dumps into TCAM.
– identical performance to legacy ACL
– more convenient configuration
• level 1 compresses only the source prefix object-groups
– smallest performance hit, but still very high scale
• level 3 compresses both Source & Destination, network and port groups
– higher performance reduction, large scale improvements
• generally speaking: use the least compression that fits(better performance)
– “more flexibility” to trade performance vs. scale vs. cost
– Note: –SE cards have much larger TCAMs than –TR cards
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scaled ACL - Counters
• In hardware, each TCAM entry points at a counter.
• Regardless of legacy vs. scale object-group config, each configured ACE will have one counter associated.
• Scaled ACL allows you to combine many rules into a single ACE, which also becomes a single counter.
• Still order-dependent, so use sequence numbers...
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – Ipv4 example
50
show run ipv4 access-list test1
ipv4 access-list test1
10 permit ipv4 any any
10 permit ipv4 any any (this is 1 TCAM entry)
(implicit deny) (this is 1 TCAM entry
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – IPv4 example
51
show run interface ten0/0/0/11
interface TenGigE0/0/0/11
ipv4 access-group test1 ingress
show controller np ports all loc 0/0/cpu0
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2
1 -- 0 TenGigE0/0/0/3, TenGigE0/0/0/4, TenGigE0/0/0/5
2 -- 1 TenGigE0/0/0/6, TenGigE0/0/0/7, TenGigE0/0/0/8
3 -- 1 TenGigE0/0/0/9, TenGigE0/0/0/10, TenGigE0/0/0/11
4 -- 2 TenGigE0/0/0/12, TenGigE0/0/0/13, TenGigE0/0/0/14
<snip>
show access-lists test1 hardware ingress resource-usage loc 0/0/cpu0
NP : 3
Rules (ACE) : 2
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2 ( 96k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
show pfilter-ea fea summary loc 0/0/cpu0
******** NP Resource Usage Summary ************
Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 2 0 2 0
4 0 0 0 0
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test1
52
show prm server tcam summary all acl all loc 0/0/cpu0
<snip>
TCAM summary for NP3:
TCAM Logical Table: TCAM_LT_L2 (1)
Partition ID: 0, priority: 2, valid entries: 3, free entries: 317
<snip>
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 89273, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IPV4_ACL (2)
Total: 1 vmr_ids, 2 active entries, 2 allocated entries.
TCAM Logical Table: TCAM_LT_ODS8 (3), free entries: 14757, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_ACL_IPV6 (2)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Configuration & Use Cases
• Summary
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Summary for today's session:
• Reduce large ASR 9000 IOS XR configurations using (FlexCLI + ScaleACL)
• Take advantage of IOS XR FlexCLI to reduce and re-use common configurations
• Scale ACL - Security is top most requirement - reduce large ACL configurations
• Take advantage of Scale ACL to reduce large configuration and take advantage of the ability to re-use security stanzas
• Please contact me direct if you have questions on FlexCLI or ScaleACL configurations or issues. My direct email is [email protected]. We will be glad to help. Thank you for attending today's session.
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
References ASR9K Configuration Guides Cisco.com http://www.cisco.com/en/US/products/ps5845/products_installation_and_configuration_guides_list.html ASR9K Master Command Reference Cisco.com http://www.cisco.com/en/US/products/ps5845/products_product_indices_list.html ASR9K Cisco Support Forum Documents https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=documents ASR9K Cisco Support Forum – Feature order of Operations https://supportforums.cisco.com/docs/DOC-32025
55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle @dpothier
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – compression L 1 config t
load ftp://user:[email protected]/acl/test2-comp1
Loading.
20073 bytes parsed in 1 sec (20052)bytes/sec
commit
end
show run ipv4 access-list test2-comp1
ipv4 access-list test2-comp1
10 permit tcp net-group net_group_1 net-group net_group_1 port-group port_group_1
20 permit tcp net-group net_group_1 net-group net_group_1 port-group port_group_2
30 permit tcp net-group net_group_1 port-group port_group_1 net-group net_group_1
40 permit tcp net-group net_group_1 port-group port_group_2 net-group net_group_1
50 permit tcp net-group net_group_2 net-group net_group_2 port-group port_group_3
<snip>
440 permit tcp net-group net_group_11 net-group net_group_38 port-group port_group_23
450 permit tcp net-group net_group_39 10.0.0.0/8 port-group port_group_22
460 permit tcp net-group net_group_12 net-group net_group_40 eq ssh
470 permit tcp net-group net_group_40 eq ssh net-group net_group_12
show access-lists ipv4 summary
ACL Summary:
Total ACLs configured: 1
Total ACEs configured: 47
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – compression L 1 show object-group network ipv4 ?
| Output Modifiers
net_group_1 Object group name
net_group_2 Object group name
net_group_3 Object group name
net_group_4 Object group name
<snip>
<snip>
net_group_38 Object group name
net_group_39 Object group name
net_group_40 Object group name
show object-group port ?
| Output Modifiers
port_group_1 Object group name
port_group_2 Object group name
port_group_3 Object group name
<snip>
<snip>
port_group_20 Object group name
port_group_21 Object group name
port_group_22 Object group name
port_group_23 Object group name
62
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – compression L 1
show run interface ten 0/0/0/11
interface TenGigE0/0/0/11
load-interval 30
ipv4 access-group test2-comp1 ingress compress level 1
sho controller np ports all loc 0/0/cpu0
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2
1 -- 0 TenGigE0/0/0/3, TenGigE0/0/0/4, TenGigE0/0/0/5
2 -- 1 TenGigE0/0/0/6, TenGigE0/0/0/7, TenGigE0/0/0/8
3 -- 1 TenGigE0/0/0/9, TenGigE0/0/0/10, TenGigE0/0/0/11
4 -- 2 TenGigE0/0/0/12, TenGigE0/0/0/13, TenGigE0/0/0/14
7 <snip>
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0
NP : 3
Rules (ACE) : 47
ACL compression level : 1
Fields compressed : SrcIP
TCAM Entries used : 11618 ( 96k total)
TCAM Key Width : 160 ( 32 total for compressed fields)
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 579 15/16 (of max 32)
Total no. of bits used = 16 (of max 32) for compressed fields
63
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – compression L 1
64
RP/0/RP0/CPU0:ASR9K#show pfilter-ea fea summary loc 0/0/cpu0
******** NP Resource Usage Summary ************
Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 11618 0 47 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – compression L 1 show prm server tcam summary all acl all loc 0/0/cpu0
<snip>
TCAM summary for NP3:
TCAM Logical Table: TCAM_LT_L2 (1)
Partition ID: 0, priority: 2, valid entries: 3, free entries: 317
<snip>
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 77657, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IPV4_ACL (2)
Total: 1 vmr_ids, 11618 active entries, 11618 allocated entries.
TCAM Logical Table: TCAM_LT_ODS8 (3), free entries: 14757, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_ACL_IPV6 (2)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
show prm server tcam summary all acl all loc 0/0/cpu0 | i active entries
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 1 vmr_ids, 11618 active entries, 11618 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
<snip>
65
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test2 – comparison compression L 1 versus 3
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 1)
NP : 3
Rules (ACE) : 47
ACL compression level : 1
Fields compressed : SrcIP
TCAM Entries used : 11618 ( 96k total)
TCAM Key Width : 160 ( 32 total for compressed fields)
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 579 15/16 (of max 32)
Total no. of bits used = 16 (of max 32) for compressed fields
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 3)
NP : 3
Rules (ACE) : 47
ACL compression level : 3
Fields compressed : SrcIP, DstIP, SrcPort, DstPort
TCAM Entries used : 88 ( 16k total)
TCAM Key Width : 640 ( 560 total for compressed fields)
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 579 15/16 (of max 240)
DestIP 381 14/16 (of max 240)
SrcPort 99 10/16 (of max 240)
DstPort 109 13/16 (of max 240)
Total no. of bits used = 64 (of max 560) for compressed fields
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale v4 ACL test 3
• Some notes on the following large ACL test
• approx 4800 object-groups:
– 4000 network groups with ~20k total pfx/masks
– 800 port groups, ~1750 port statements, 200 ranges
• ~3000 access list entries
– virtually all of them call multiple object groups
• would expand out to approx. 17 million individual ACL entries if you had to write it with legacy ACL CLI
67
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test3 – compression L 3 config t
load ftp://user:[email protected]/acl/test3-comp3
Loading....................
1618222 bytes parsed in 20 sec (80765)bytes/sec
commit
end
show run ipv4 access-list test3-comp3
ipv4 access-list test3-comp3
10 permit icmp net-group parent_src_grp_1 net-group parent_src_grp_1
20 permit udp any net-group parent_dst_grp_2
30 permit udp any net-group DCC_SBS_NEW_ORDER
40 permit udp net-group DCC_GLOBAL_PROD net-group SP_GLOBAL_PROD_3
<snip>
35090 permit tcp net-group DCC_CSE_CORP_CRPSRVENG_101 port-group src_port_grp_11 net-group
DCC_OPS_QA_EAST_MAIN port-group dst_port_grp_NY
35230 permit udp net-group SRC_SP1_SUPERNETS_5 net-group DCC_OPS_SP1_SYSLOG_SJ port-group
dst_port_grp_55
35240 permit tcp net-group SRC_DCA_ADX_SP1_EAST_CLIENTS_1782 port-group src_port_grp_11 net-
group DCC_OPS_SP1_SYSLOG_EAST_3145 port-group dst_port_grp_3524
show access-lists ipv4 summary
ACL Summary:
Total ACLs configured: 1
Total ACEs configured: 2997
68
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test3 – compression L 3 show object-group network ipv4 ?
object-group network ipv4 DCC_EAST_SP1_DCC_SERVERS
members:
192.168.1.84/30
192.168.10.112/31
192.168.100.120/31
<snip>
<snip>
object-group network ipv4 parent_dcc_grp
members:
object-group DCC_OPS_NTP_TIER1
object-group DCC_SP1_SUPERNETS
show object-group port ?
port_group_1 Object group name
port_group_2 Object group name
port_group_3 Object group name
<snip>
<snip>
object-group port src_port_grp_WEST
members:
eq 111
range 1024 65535
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test3 – compression L 3
show run interface ten 0/0/0/11
interface TenGigE0/0/0/11
load-interval 30
ipv4 access-group test3-comp3 ingress compress level 3
sho controller np ports all loc 0/0/cpu0
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2
1 -- 0 TenGigE0/0/0/3, TenGigE0/0/0/4, TenGigE0/0/0/5
2 -- 1 TenGigE0/0/0/6, TenGigE0/0/0/7, TenGigE0/0/0/8
3 -- 1 TenGigE0/0/0/9, TenGigE0/0/0/10, TenGigE0/0/0/11
4 -- 2 TenGigE0/0/0/12, TenGigE0/0/0/13, TenGigE0/0/0/14
7 <snip>
show access-lists test3-comp3 hardware ingress resource-usage loc 0/0/cpu0
NP : 3
Rules (ACE) : 2998
ACL compression level : 3
Fields compressed : SrcIP, DstIP, SrcPort, DstPort
TCAM Entries used : 5673 ( 16k total)
TCAM Key Width : 640 ( 560 total for compressed fields)
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 20763 202/208 (of max 240)
DestIP 5317 57/64 (of max 240)
SrcPort 65 18/24 (of max 240)
DstPort 1049 155/160 (of max 240)
Total no. of bits used = 456 (of max 560) for compressed fields
70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test3 – compression L 3
show pfilter-ea fea summary loc 0/0/cpu0
******** NP Resource Usage Summary ************
Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 5673 0 2998 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
71
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v4 example – test3 – compression L 3 show prm server tcam summary all acl all loc 0/0/cpu0
<snip>
TCAM summary for NP3:
TCAM summary for NP3:
TCAM Logical Table: TCAM_LT_L2 (1)
Partition ID: 0, priority: 2, valid entries: 3, free entries: 317
Partition ID: 1, priority: 2, valid entries: 0, free entries: 320
<snip>
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 89275, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IPV4_ACL (2)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
TCAM Logical Table: TCAM_LT_ODS8 (3), free entries: 9084, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_ACL_IPV6 (2)
Total: 1 vmr_ids, 5673 active entries, 5673 allocated entries.
show prm server tcam summary all acl all loc 0/0/cpu0 | i active entries
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
<snip>
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 1 vmr_ids, 5673 active entries, 5673 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
<snip>
72
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v6 example – test4 – compression L 3
load ftp://user:[email protected]/acl/test4-v6-comp3
Loading.
8011 bytes parsed in 1 sec (7995)bytes/sec
commit
end
sho run ipv6 access-list test4-v6-comp3
ipv6 access-list test4-v6-comp3
10 permit tcp net-group ng_1 port-group pg_1 net-group ng_2 port-group pg_2
20 permit tcp net-group ng_1 port-group pg_1 net-group ng_3 port-group pg_3
30 permit tcp net-group ng_1 port-group pg_1 net-group ng_3 port-group pg_4
40 permit tcp net-group ng_1 port-group pg_1 net-group ng_4 port-group pg_4
<snip>
<snip>
720 deny udp net-group ng_6 port-group pg_6 net-group ng_5 port-group pg_5
730 deny udp net-group ng_6 port-group pg_6 net-group ng_6 port-group pg_6
740 deny udp net-group ng_6 port-group pg_6 net-group ng_7 port-group pg_7
750 deny udp net-group ng_6 port-group pg_6 net-group ng_8 port-group pg_8
!
show access-lists ipv6 summary
ACL Summary:
ACL Summary:
Total ACLs configured: 1
Total ACEs configured: 75
73
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v6 example – test3 – compression L 3 show object-group network ipv6 ?
<snip>
object-group network ipv6 ng_1
members:
10:1:1::/48
11:1:1::/48
12:1:1::/48
13:1:1::/48
object-group network ipv6 ng_10
members:
10:1:1::/48
100:1:1::/48
101:1:1::/48
102:1:1::/48
<snip>
show object-group port ?
object-group port pg_1
members:
range 1000 1100
range 2000 2100
<snip>
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v6 example – test3 – compression L 3
show run interface ten 0/0/0/11
interface TenGigE0/0/0/11
load-interval 30
ipv6 access-group test4-v6-comp3 ingress compress level 3
show controller np ports all loc 0/0/cpu0
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2
1 -- 0 TenGigE0/0/0/3, TenGigE0/0/0/4, TenGigE0/0/0/5
2 -- 1 TenGigE0/0/0/6, TenGigE0/0/0/7, TenGigE0/0/0/8
3 -- 1 TenGigE0/0/0/9, TenGigE0/0/0/10, TenGigE0/0/0/11
4 -- 2 TenGigE0/0/0/12, TenGigE0/0/0/13, TenGigE0/0/0/14
<snip>
show access-lists ipv6 test4-v6-comp3 hardware ingress resource-usage loc 0/0/cpu0
NP : 3
Rules (ACE) : 78
ACL compression level : 3
Fields compressed : SrcIP, DstIP, SrcPort, DstPort
TCAM Entries used : 78 ( 16k total)
TCAM Key Width : 640 ( 560 total for compressed fields)
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 20 7/8 (of max 240)
DestIP 45 16/16 (of max 240)
SrcPort 69 5/8 (of max 240)
DstPort 169 8/8 (of max 240)
Total no. of bits used = 40 (of max 560) for compressed fields
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v6 example – test3 – compression L 3
show pfilter-ea fea summary loc 0/0/cpu0
******** NP Resource Usage Summary ************
******** NP Resource Usage Summary ************
Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 0 78 78 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public
Scale ACL – v6 example – test3 – compression L 3 show prm server tcam summary all acl all loc 0/0/cpu0
<snip>
TCAM summary for NP3:
TCAM Logical Table: TCAM_LT_L2 (1)
Partition ID: 0, priority: 2, valid entries: 3, free entries: 317
<snip>
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 89275, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IPV4_ACL (2)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
TCAM Logical Table: TCAM_LT_ODS8 (3), free entries: 14679, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_ACL_IPV6 (2)
Total: 1 vmr_ids, 78 active entries, 78 allocated entries.
show prm server tcam summary all acl all loc 0/0/cpu0 | i active entries
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 1 vmr_ids, 78 active entries, 78 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
<snip>
77