From: Danshtr (danshtr@gmail.com)
Date: Tue Feb 01 2005 - 09:32:13 GMT-3
Thanks,
Can _I_ know how cisco implemented the compiled ACL? Or is it a seceret?
On Mon, 31 Jan 2005 12:37:22 -0500, James <james@towardex.com> wrote:
> On Mon, Jan 31, 2005 at 11:59:19AM +0200, Danshtr wrote:
> > Thanks, but I was more looking for how is it implemented.
> > Do the order of the acl matters?
> > Is it similar to skip states of OpenBSD PF?
>
> No. OpenBSD pf(4) establishes state to match subsequent packets. While pf(4)'s
> skip-state is a fast mechanism, if you were to do that on a backbone core router
> moving large amounts of varying flows, your box will crash under 2 minutes flat
> due to pool exhaustion. (Yes. me == been there done that)
>
> pf(4) is more similar to Netflow or IP Fast Cache on Cisco in the manner it
> functions.
>
> Turbo ACL, also known as Compiled ACL simply recompiles your ruleset into a
> set of lookup tables, kind of like HiPac extension for iptables.
>
> OpenBSD pf(4) by default also does 'skip step' or "skip-stepping" on line by
> line rule evaluations. So if you group your rules by elements like interface
> matches, it will skip all the irrelevant rules after first time of match.
> Skip stepping is at least little bit close to Cisco's TurboACL approach.
>
> -J
>
> --
> James Jun TowardEX Technologies, Inc.
> Technical Lead Boston IPv4/IPv6 Web Hosting, Colocation and
> james@towardex.com Network design/consulting & configuration services
> cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
>
-- Best regards, Dan<a href="http://www.spreadfirefox.com/?q=affiliates&id=0&t=1">Get Firefox!</a>
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:15 GMT-3