|
|
|
Using a port or protocol identifier in an access rule can cause the switch to add many entries to the forwarding cache when traffic between two endpoints includes many flows. The extra entries resulting from the port or protocol identifier hash to the same locations in the forwarding cache because they have the same source and destination address.
For safe, efficient ACLs, do not use:
Be very careful if you use a source wildcard and single destination with protocol or port identifiers. This configuration works for local interface addresses, since all packets destined to local interfaces are forwarded to the slow-path anyway. The interface simply compares the packets to the ACL before processing them and forwarding them to the supervisor.
However, if the destination specified in the access rule is a network host and many simultaneous flows exist, switch performance can degrade. This performance degradation occurs because the switch must generate a large number of forwarding cache entries for the simultaneous flows to further differentiate packets by protocol and port. These entries all hash to the same value because they have the same source and destination address, and you may observe a degradation of the switch performance.
|
|
|