ASR 9000 New Scale Features Flexible CLI & Scale...

ASR 9000 New Scale Features – Flexible CLI & Scale ACL's

BRKARC-3003

David Pothier - Enterprise Architect, Advanced Services [email protected]

© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public

Before we begin . . .

ASR 9000 Features - Prior knowledge of ASR 9000 helpful but not required (quick poll)

Please ask questions – raise your hand

May defer network specific questions

3


Agenda

• ASR 9000 Overview

• Flexible CLI Overview

• Configuration & Use Cases

• Scale ACL Overview


• Summary

4


Agenda






• Summary

5


ASR 9000 Overview

• Cisco ASR 9000 Series Aggregation Services Routers are the foundation for next-generation Carrier Ethernet networks

• Deploying nV (Network Virtualization) features to optimize service delivery

– nV Satellite

– nV Edge (Cluster)

– VSM (Virtualized Service Model)

• 100Gb End-to-End Solutions

6


ASR 9000 Models

7

ASR 9000v ASR 9001 ASR 9904 ASR 9006 ASR 9010 ASR 9912 ASR 9922

RP None Built-in 1+1 RSP 1+1 RSP 1+1 RSP 1+1 RP 1+1 RP

Fabric None Built-in 2x RSP 2x RSP 2x RSP 6+1 6+1

Line cards &

ports 4x SFP+

44x SFP

4x SFP+

2x MPA 2 4 8 10 20

Rack units 1 2 6 10 21 30 44

Power modules 1x AC or 2x DC 2x AC or 2x DC 4x AC or 4x DC 4x AC or 4x DC 8x AC or 8x DC 12x AC or 12x DC 16x AC or 16x DC

Air flow Right to left Right to left Right to left Right to back Front to back Front to back Front to back

ASR901/903


NP0 PHY

NP2 PHY

NP3 PHY

NP1 PHY FIA0

CPU

B0

B1

3x 10G 3x10GE

SFP +

3x10GE

SFP +

NP0

NP1 3x 10G

3x 10G 3x10GE

SFP +

3x10GE

SFP +

NP2

NP3 3x 10G

3x 10G 3x10GE

SFP +

3x10GE

SFP +

NP4

NP5 3x 10G

3x 10G 3x10GE

SFP +

3x10GE

SFP +

NP6

NP7 3x 10G FIA3

FIA2

FIA1

FIA0

Sw

itch

Fa

bric

AS

IC

CPU

RSP 3 Switch

Fabric

Switch Fabric

RSP0

Switch Fabric

RSP1

A9K-4T

8x55G

4x23G

ASR9K Line Card Architecture Overview


Aggregation Node

Aggregation Network MPLS/IP

Carrier Ethernet Aggregation Access Edge

Aggregation Node

Aggregation Node

STB

VoD

Content Network

TV SIP

PON Node

DSLNode

VoD

Content Network

TV SIP

Multiservice Core

Core Network

IP / MPLS

Distribution Node

Corporate Business

Residential

STB

Residential

Aggregation Node

Distribution Node

Mobile

2G/3G/4G Node RAN Access

Network

MPLS/IP

Corporate

Business

Carrier Ethernet Network

9

EoMPLS

VPLS

nV


What’s ASR 9000 nV Edge System ?

10

Leverage existing IOS-XR

CRS multi-chassis SW

infrastructure

Simplified/Enhanced for

ASR 9000 nV Edge

Single control plane, single management plane, fully distributed

Super, Simple network resiliency, and extensible node

ASR 9000 nV Edge

CRS Multi-Chassis

Fabric

chassis


Agenda






• Summary

11


ASR 9000 Flexible CLI Overview

12

• What problem are we solving ?

• Supported Platforms

• Phased Implementation



Problem Statement

• IOS XR platforms’ features continue to grow

• Running configurations have grown significantly (mid-to-high end platforms)

High level goals

• reduce config complexity and size

• reduce operational errors & misconfigurations

• reduce repetition configurations

13



Supported on IOS XR Platforms

• ASR9K & CRS

• XR12K is not supported

• Original target platform was ASR9K, CRS was added per customer

requests

14



Phased Implementation

• Phase I 4.3.1 FlexCLI Feature introduced

• Phase II 5.1.1 Additional FlexCLI features

15


• IOS XR config is stored in a binary database that looks like a tree

• some configurations often have the same entries/values repeated

router ospf 10

area 0

int TenGigE0/1/0/0

int TenGigE0/1/0/1

int TenGigE0/1/0/2

int HundredGig 0/0/0/0

mtu 9000

Cost 1000

Cost 1000

Cost 1000

int HundredGig 0/0/0/1

mtu 9000

IOS XR System Configuration Database

16


IOS XR Flexible CLI Overview Configuration Groups

FlexCLI uses a config-group concept where it is a sub tree config that:

• is syntactically correct / validated

• is fully defined (i.e. starts from the root)

• can be applied at arbitrary levels of the config (sub modes)

• can use regular expressions

• automatic inheritance in hierarchical fashion

17


• Same tree which would contain regular expression

router ospf

area ‘.*’

int ‘TenGigE0/1/0/0’



int ‘HundredGiG.*’

mtu 9000

Cost 1000

Cost 1000

cost 1000

IOS XR Flexible CLI Overview

18


Agenda






• Summary

19


config t

group <group name>

config commands

end-group

config t

interface tengig 0/0/0/0

apply-group <group name>

commit

IOS XR Flexible CLI – Configuration and Use cases New CLI (group, end-group, apply-group Phase I - 4.3.1)

20


• show running-config group <group-name>

• show running-config inheritance interface r/s/m/p

• inheritance – config groups can be applied at different levels of hierarchy. Therefore “inheritance” of group configuration, can also happen at different levels of the configuration.

• inheritance can be overridden, by local CLI commands, at the lowest submode

IOS XR Flexible CLI – Configuration and Use cases New CLI (show commands Phase I - 4.3.1)

21


RP/0/RSP0/CPU0:ASR9K#show run group GigCE

group GigCE

interface 'GigabitEthernet.*'

mtu 1526

end-group

RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1

interface GigabitEthernet0/1/0/1

apply-group GigCE

RP/0/RSP0/CPU0:ASR9K#show run inheritance interface GigabitEthernet0/1/0/1


## Inherited from group GigCE

mtu 1526

RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU

MTU 1526 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)

1)configure a group

2)apply the group

3)show run inheritance

4)MTU is inherited

IOS XR Flexible CLI – Configuration and Use cases Example: basic

22


RP/0/RSP0/CPU0:ASR9K#show run group GigCE

group GigCE

interface 'GigabitEthernet.*'

mtu 1526

end-group

RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1


apply-group GigCE

mtu 1518

RP/0/RSP0/CPU0:ASR9K#show run inheritance interface GigabitEthernet0/1/0/1


mtu 1518

RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU

MTU 1518 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)

1)configure a group

2)apply the group

configure diff. MTU

3)show run inheritance

4)MTU is not inherited

overridden at interface

IOS XR Flexible CLI – Configuration and Use cases Example: local config overrides inheritance config

23


“up and right” is the rule…

• lowest (most specific) config takes precedence within any level,

• first group applied takes precedence

in the following example:

“ONE” has the highest priority

“SEVEN” has the lowest…

apply-group SIX SEVEN

router ospf 0

apply-group FOUR FIVE

area 0

apply-group THREE


apply-group ONE TWO

IOS XR Flexible CLI – Configuration and Use cases New CLI: multiple groups can be applied

24


“up and right” is the rule…

• lowest (most specific) config takes precedence within any level,

• first group applied takes precedence


apply-group GigCE-1526 GigCE-1400

mtu 1518

what is the MTU ?


apply-group GigCE-1526 GigCE-1400

what is the MTU ?

group GigCE-1526

interface

'GigabitEthernet.*'

mtu 1526

end-group

group GigCE-1400

interface

'GigabitEthernet.*'

mtu 1400

end-group

A

B

IOS XR Flexible CLI – Configuration and Use cases New CLI (multiple groups can be applied)

25


• Interface parameters

• Routing instance parameters

• MPLS-TE interface parameters

• L2VPN interface parameters

IOS XR Flexible CLI – Configuration and Use cases Common use cases:

26


group 10GE-intf-bundle interface 'TenGigE0/2/0/.*' lacp period short load-interval 30 transceiver permit pid all end-group

interface TenGigE0/2/0/14

apply-group 10GE-intf-bundle

bundle id 200 mode active

RP/0/RSP0/CPU0:ASR9K#show run interface TenGigE0/2/0/14 inheritance detail


bundle id 200 mode active

## Inherited from group 10GE-intf-bundle

lacp period short


load-interval 30


transceiver permit pid all

IOS XR Flexible CLI – Configuration and Use cases Common use cases: Interface parameters

27


group 10GE-Bundle interface 'Bundle-Ether.*' mtu 9216 ipv4 mtu 9000 ipv4 point-to-point ipv6 mtu 9000 load-interval 60 end-group

interface Bundle-Ether200

apply-group 10GE-Bundle

ipv4 address 10.1.1.1/24

RP/0/RSP0/CPU0:ASR9K#show run interface bundle-ether 200 inheritance detail


## Inherited from group 10GE-Bundle

mtu 9216


ipv4 mtu 9000


ipv4 point-to-point

ipv4 address 192.192.1.25 255.255.255.0


ipv6 mtu 9000


load-interval 60

IOS XR Flexible CLI – Configuration and Use cases Common use cases: Interface parameters

28


group ISIS router isis 'Core1' interface 'Bundle-Ether.*' circuit-type level-2-only point-to-point hello-password keychain secure-isis address-family ipv4 unicast metric 500 end-group

router isis Core1 set-overload-bit on-startup wait-for-bgp level 2 is-type level-2-only net 49.0005.0049.1997.0000.1002.00 nsf ietf log adjacency changes address-family ipv4 unicast metric-style wide level 2 metric 10 maximum-paths 32 ! interface Bundle-Ether200 apply-group ISIS

RP/0/RSP0/CPU0:ASR9K#show run router isis Core1 inheritance detail

router isis Core1

set-overload-bit on-startup wait-for-bgp level 2

<snip>


## Inherited from group ISIS

circuit-type level-2-only


point-to-point


hello-password keychain secure-isis


address-family ipv4 unicast


metric 500

IOS XR Flexible CLI – Configuration and Use cases Common use cases: Routing Instance parameters

29


group TUNNEL interface 'tunnel-te.*' ipv4 unnumbered Loopback0 load-interval 30 logging events lsp-status reoptimize logging events lsp-status state logging events lsp-status reroute logging events lsp-status insufficient-bandwidth autoroute announce ! fast-reroute path-protection logging events link-status ! end-group

interface tunnel-te1000

apply-group TUNNEL

description DC EAST-WEST Northbound

path-option 10 dynamic attribute-set EAST protected-by 20

path-option 20 dynamic attribute-set WEST protected-by 10

path-option 30 dynamic attribute-set CORE

RP/0/RSP0/CPU0:ASR9K#show run inter tunnel-te1000 inheritance detail

interface tunnel-te1000

description DC EAST-WEST Northbound

## Inherited from group TUNNEL

ipv4 unnumbered Loopback0


load-interval 30


logging events lsp-status reoptimize


logging events lsp-status state


logging events lsp-status reroute


logging events lsp-status insufficient-bandwidth


autoroute announce

!


fast-reroute


path-protection

path-option 10 dynamic attribute-set EAST protected-by 20

path-option 20 dynamic attribute-set WEST protected-by 10

path-option 30 dynamic attribute-set CORE


logging events link-status

IOS XR Flexible CLI – Configuration and Use cases Common use cases: MPLS-TE interfaces

30


group l2vpn l2vpn pw-class 'test' encapsulation mpls ipv4 source 1.2.3.4 ! ! ! end-group end

l2vpn

pw-class test

apply-group l2vpn

!

!

RP/0/RSP0/CPU0:ASR9K#show run inheritance l2vpn

l2vpn

pw-class test

## Inherited from group l2vpn

encapsulation mpls

## Inherited from group l2vpn

ipv4 source 1.2.3.4

!

!

!

IOS XR Flexible CLI – Configuration and Use cases Common use cases: L2VPN

31


group test1 interface 'TenGig.*' description flexcli test ! interface 'TenGig.*\..*' l2transport rewrite ingress tag pop 1 symmetric mtu 1518 ! end-group

RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10


apply-group test1

cdp

ipv4 address 12.0.1.3 255.0.0.0

!

RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10.100

interface TenGigE0/2/0/10.100 l2transport

apply-group test1

encapsulation dot1q 100

RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10 inheritance detail


## Inherited from group test1

description flexcli test

ipv4 address 12.0.1.3 255.0.0.0

!

RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10.100 inheritance detail

interface TenGigE0/2/0/10.100 l2transport

encapsulation dot1q 100


rewrite ingress tag pop 1 symmetric


mtu 1518

IOS XR Flexible CLI – Configuration and Use cases Common use cases: L2VPN

32


ASR9K/CRS/NCS – Internet Usage

33

1 billion – PSY’s Gangnam Style video became the first online video to reach 1 billion views and achieved it in just 5 months.

http://www.guinnessworldrecords.com/news/2012/9/gangnam-style-now-most-liked-video-in-youtube-history-44977/





















© 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3003 Cisco Public 34

Data Traffic Reference • 1 Byte: A single character (1)

• 1 Kilobyte: Half a typewritten page (1,024 bytes)

• 1 Megabyte: A short novel (1024 kilobytes)

• 1 Gigabyte: A movie at TV quality (1024 megabytes)

• 1 Terabyte: About half the content of an academic research library (10 terabytes: the printed

collection of the US Library of Congress). (1 trillion bytes)

• 1 Petabyte: About half the content of all U.S. academic research libraries (1 million gigabytes)

• 5 Exabytes: All words ever spoken by human beings. (5 billion gigabytes)

• 1 Zettabyte: About half of the information sent through broadcast technology (such as TV and

GPS) in 2007. (1 trillion gigabytes)

• Yottabyte (1 000 000 000 000 000 000 000 000 Bytes). Named after Yoda.

• Xenottabytes (1 000 000 000 000 000 000 000 000 000 Bytes)

• Shilentnobytes (1 000 000 000 000 000 000 000 000 000 000 Bytes)

• Domegemegrottebytes (1 000 000 000 000 000 000 000 000 000 000 000 Bytes).

• Icosebyte (1 000 000 000 000 000 000 000 000 000 000 000 000 Bytes).

• Monoicosebyte (1,000,000,000,000,000,000,000,000,000,000,000,000,000 Bytes


Agenda






• Summary

35


ASR 9000 ACL’s before Scale ACL feature:

• TCAM based architectures to perform ACL classification for security &

filtering ACL’s and ACL based QoS classification

• TCAM based implementations offer extremely high speed and

deterministic lookups, but are poorly suited for very large rule sets

• Repetition of rules in similar ACE’s.

• Large TCAM space requirements in scaled scenario’s

ASR 9000 IOS XR Scale ACL Overview

36


TCAM based ACL’s:

• Essentially custom memory that takes a lookup key and mask, and

returns a result. (TCAM “rule” or “Value Mask Result”)

ASR 9000 IOS XR Scale ACL Overview

37


ASR 9000 Scale ACL Configuration improvements:

• Easier and friendlier to use “sets” of objects when building rules....

– This: – Set A = (j,k,l,m) Set B = (w,x,y,z)

– permit ipv4 (set A) (set B)

– Is easier on the eyes than this: – permit host j host w

– permit host k host w

– permit host l host w

– permit host m host w

– permit host j host x

– permit host k host x

– And so on... (4x4 would be 16 rules... Imagine 100x400x20!)

38


Scale ACL Object-group's

• As we talk about “object-groups” on the next slides – think of them analogous to creating a prefix-set, which an IOS XR RPL route-policy then calls into function within the route policy

• ACL’s will call into function various “object groups”

39


Scale ACL Object-group CLI

• Network groups to define a set of prefixes

– Prefixes, hosts, range of prefixes,

– Nested groups

• Port groups to define a set of ports • Port entries, and operators

• Nested groups

– Supported for both IPv4 and IPv6

– ACE entries in an ACL support both specifying object group names and individual traditional entries

40


Scale ACL Configuration CLI

1) Create an object-group (either network or port, or both)

2) Create the access-list

3) Enter the ACL permit or deny entries, using net-group or port-group syntax

41


Scale ACL Configuration Example:

42

object-group network ipv4 SRC_1

10.10.1.0/24

host 10.10.1.100

ipv4 access-list scale

10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1

object-group network ipv4 DEST_1

30.30.0.0/16

host 30.30.1.100

object-group port PORT_1

eq telnet

range 1024 65535


Scale ACL Configuration Example:

43

Current CLI new Scale object-group CLI

ipv4 access-list acl1

10 permit tcp host 1.1.1.1 host 10.10.10.1 eq ftp



40 permit tcp host 1.1.1.1 host 10.10.10.1 eq domain



70 permit tcp host 1.1.1.1 host 10.10.10.1 lt 1024



100 permit tcp host 1.1.1.1 host 10.10.10.1 range 2400 2500



!

object-group network ipv4 site-east

1.1.1.1/32

1.1.1.2/32

1.1.1.3/32

!

object-group port site-west-portgroup1

eq ftp

eq domain

lt 1024

range 2400 2500

!

ipv4 access-list acl1

10 permit tcp net-group site-east host 10.10.10.1

port-group site-west-portgroup1

!


Scale ACL CLI syntax RP/0/RSP0/CPU0:ASR9K(config)#object-group network ipv4 <name> ? A.B.C.D/length IPv4 address/prefix description Description for the object group host A single host address object-group Nested object group range Range of host addresses <cr> RP/0/RSP0/CPU0:ASR9K(config)#object-group port test ? description description for the object group eq Match packets on ports equal to entered port number gt Match packets on ports greater than entered port number lt Match packets on ports less than entered port number neq Match packets on ports not equal to entered port number object-group nested object group range Match only packets on a given port range <cr>

ACE syntax

{ipv4 | ipv6} access-list <name> 10 permit tcp net-group <name> net-group <name> port-group <name> [options]

44


Scale ACL CLI syntax • Hybrid mode ACE lines are allowed.

• For example: can use object-group in source field, and individual address/prefix in destination field.

• Can have ACEs with object group and ACEs without object groups in the same ACL

ipv4 access-list scale

10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1

20 permit icmp 10.10.1.0/24 host 192.168.1.100 echo

30 permit icmp 10.10.1.0/24 host 192.168.10.100 echo

45


Scale ACL - Compression

• Can apply ACL on interface with a choice to select compression level in HW

• Compression level translates to which fields from (src,dst, src port, dest port) should be programmed in TCAM in compressed format.

• More compression means less TCAM space, but extra lookups in NP. This is a trade off between TCAM memory usage versus line rate performance.

46



• Config option to enable compressed format on per interface basis.

• 3 levels of compression supported (0,1,3) with 3 being the best compression & scale capabilities but the worst NP performance hit

• Can support only one compression mode of an ACL on a given LC

– Once an ACL is applied with a compression level on an interface, it can be applied with the same compression level on other interfaces on same LC.

– you cannot mix different compression levels on the same LC

47



• There are 3 available compression levels for a scaled ACL.

• level 0 simply expands the object groups and dumps into TCAM.

– identical performance to legacy ACL

– more convenient configuration

• level 1 compresses only the source prefix object-groups

– smallest performance hit, but still very high scale

• level 3 compresses both Source & Destination, network and port groups

– higher performance reduction, large scale improvements

• generally speaking: use the least compression that fits(better performance)

– “more flexibility” to trade performance vs. scale vs. cost

– Note: –SE cards have much larger TCAMs than –TR cards

48


Scaled ACL - Counters

• In hardware, each TCAM entry points at a counter.

• Regardless of legacy vs. scale object-group config, each configured ACE will have one counter associated.

• Scaled ACL allows you to combine many rules into a single ACE, which also becomes a single counter.

• Still order-dependent, so use sequence numbers...

49


Scale ACL – Ipv4 example

50

show run ipv4 access-list test1

ipv4 access-list test1

10 permit ipv4 any any

10 permit ipv4 any any (this is 1 TCAM entry)

(implicit deny) (this is 1 TCAM entry


Scale ACL – IPv4 example

51

show run interface ten0/0/0/11


ipv4 access-group test1 ingress

show controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:

----------------------------------------------------------------

NP Bridge Fia Ports

-- ------ --- ---------------------------------------------------

0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2





<snip>

show access-lists test1 hardware ingress resource-usage loc 0/0/cpu0

NP : 3

Rules (ACE) : 2

ACL compression level : 0

Fields compressed : None

TCAM Entries used : 2 ( 96k total)

TCAM Key Width : 160 ( 0 total for compressed fields)

show pfilter-ea fea summary loc 0/0/cpu0

******** NP Resource Usage Summary ************

Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries

========================================================================

0 0 0 0 0

1 0 0 0 0

2 0 0 0 0

3 2 0 2 0

4 0 0 0 0


Scale ACL – v4 example – test1

52

show prm server tcam summary all acl all loc 0/0/cpu0

<snip>

TCAM summary for NP3:

TCAM Logical Table: TCAM_LT_L2 (1)

Partition ID: 0, priority: 2, valid entries: 3, free entries: 317

<snip>

TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 89273, resvd 128

ACL Common Region: 448 entries allocated. 448 entries free

Application ID: NP_APP_ID_IPV4_ACL (2)

Total: 1 vmr_ids, 2 active entries, 2 allocated entries.



Application ID: NP_APP_ID_ACL_IPV6 (2)



Agenda






• Summary

53


Summary for today's session:

• Reduce large ASR 9000 IOS XR configurations using (FlexCLI + ScaleACL)

• Take advantage of IOS XR FlexCLI to reduce and re-use common configurations

• Scale ACL - Security is top most requirement - reduce large ACL configurations

• Take advantage of Scale ACL to reduce large configuration and take advantage of the ability to re-use security stanzas

• Please contact me direct if you have questions on FlexCLI or ScaleACL configurations or issues. My direct email is [email protected]. We will be glad to help. Thank you for attending today's session.

54


References ASR9K Configuration Guides Cisco.com http://www.cisco.com/en/US/products/ps5845/products_installation_and_configuration_guides_list.html ASR9K Master Command Reference Cisco.com http://www.cisco.com/en/US/products/ps5845/products_product_indices_list.html ASR9K Cisco Support Forum Documents https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=documents ASR9K Cisco Support Forum – Feature order of Operations https://supportforums.cisco.com/docs/DOC-32025

55

http://www.cisco.com/en/US/products/ps5845/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/products/ps5845/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/products/ps5845/products_product_indices_list.html

https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=documents





https://supportforums.cisco.com/docs/DOC-32025





Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle @dpothier

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

56

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

57

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

58


Scale ACL – v4 example – test2 – compression L 1 config t

load ftp://user:[email protected]/acl/test2-comp1

Loading.

20073 bytes parsed in 1 sec (20052)bytes/sec

commit

end

show run ipv4 access-list test2-comp1

ipv4 access-list test2-comp1

10 permit tcp net-group net_group_1 net-group net_group_1 port-group port_group_1


30 permit tcp net-group net_group_1 port-group port_group_1 net-group net_group_1

40 permit tcp net-group net_group_1 port-group port_group_2 net-group net_group_1


<snip>


450 permit tcp net-group net_group_39 10.0.0.0/8 port-group port_group_22

460 permit tcp net-group net_group_12 net-group net_group_40 eq ssh

470 permit tcp net-group net_group_40 eq ssh net-group net_group_12

show access-lists ipv4 summary

ACL Summary:

Total ACLs configured: 1

Total ACEs configured: 47

61


Scale ACL – v4 example – test2 – compression L 1 show object-group network ipv4 ?

| Output Modifiers

net_group_1 Object group name




<snip>

<snip>




show object-group port ?

| Output Modifiers

port_group_1 Object group name



<snip>

<snip>





62


Scale ACL – v4 example – test2 – compression L 1

show run interface ten 0/0/0/11


load-interval 30

ipv4 access-group test2-comp1 ingress compress level 1

sho controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:

----------------------------------------------------------------

NP Bridge Fia Ports

-- ------ --- ---------------------------------------------------






7 <snip>

show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0

NP : 3

Rules (ACE) : 47


Fields compressed : SrcIP



Fields Prefix count Bit width/rounded

~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

SourceIP 579 15/16 (of max 32)

Total no. of bits used = 16 (of max 32) for compressed fields

63



64

RP/0/RP0/CPU0:ASR9K#show pfilter-ea fea summary loc 0/0/cpu0



========================================================================

0 0 0 0 0

1 0 0 0 0

2 0 0 0 0

3 11618 0 47 0

4 0 0 0 0

5 0 0 0 0

6 0 0 0 0

7 0 0 0 0


Scale ACL – v4 example – test2 – compression L 1 show prm server tcam summary all acl all loc 0/0/cpu0

<snip>




<snip>









show prm server tcam summary all acl all loc 0/0/cpu0 | i active entries











<snip>

65


Scale ACL – v4 example – test2 – comparison compression L 1 versus 3

show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 1)

NP : 3

Rules (ACE) : 47


Fields compressed : SrcIP




~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~



show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 3)

NP : 3

Rules (ACE) : 47


Fields compressed : SrcIP, DstIP, SrcPort, DstPort




~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~


DestIP 381 14/16 (of max 240)

SrcPort 99 10/16 (of max 240)

DstPort 109 13/16 (of max 240)


66


Scale v4 ACL test 3

• Some notes on the following large ACL test

• approx 4800 object-groups:

– 4000 network groups with ~20k total pfx/masks

– 800 port groups, ~1750 port statements, 200 ranges

• ~3000 access list entries

– virtually all of them call multiple object groups

• would expand out to approx. 17 million individual ACL entries if you had to write it with legacy ACL CLI

67


Scale ACL – v4 example – test3 – compression L 3 config t

load ftp://user:[email protected]/acl/test3-comp3

Loading....................


commit

end

show run ipv4 access-list test3-comp3

ipv4 access-list test3-comp3

10 permit icmp net-group parent_src_grp_1 net-group parent_src_grp_1

20 permit udp any net-group parent_dst_grp_2

30 permit udp any net-group DCC_SBS_NEW_ORDER

40 permit udp net-group DCC_GLOBAL_PROD net-group SP_GLOBAL_PROD_3

<snip>

35090 permit tcp net-group DCC_CSE_CORP_CRPSRVENG_101 port-group src_port_grp_11 net-group

DCC_OPS_QA_EAST_MAIN port-group dst_port_grp_NY

35230 permit udp net-group SRC_SP1_SUPERNETS_5 net-group DCC_OPS_SP1_SYSLOG_SJ port-group

dst_port_grp_55

35240 permit tcp net-group SRC_DCA_ADX_SP1_EAST_CLIENTS_1782 port-group src_port_grp_11 net-

group DCC_OPS_SP1_SYSLOG_EAST_3145 port-group dst_port_grp_3524


ACL Summary:



68



object-group network ipv4 DCC_EAST_SP1_DCC_SERVERS

members:

192.168.1.84/30

192.168.10.112/31

192.168.100.120/31

<snip>

<snip>

object-group network ipv4 parent_dcc_grp

members:

object-group DCC_OPS_NTP_TIER1

object-group DCC_SP1_SUPERNETS





<snip>

<snip>

object-group port src_port_grp_WEST

members:

eq 111

range 1024 65535

69





load-interval 30

ipv4 access-group test3-comp3 ingress compress level 3

sho controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:

----------------------------------------------------------------

NP Bridge Fia Ports

-- ------ --- ---------------------------------------------------






7 <snip>

show access-lists test3-comp3 hardware ingress resource-usage loc 0/0/cpu0

NP : 3

Rules (ACE) : 2998






~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

SourceIP 20763 202/208 (of max 240)

DestIP 5317 57/64 (of max 240)


DstPort 1049 155/160 (of max 240)


70






========================================================================

0 0 0 0 0

1 0 0 0 0

2 0 0 0 0

3 5673 0 2998 0

4 0 0 0 0

5 0 0 0 0

6 0 0 0 0

7 0 0 0 0

71



<snip>






<snip>











<snip>





<snip>

72



load ftp://user:[email protected]/acl/test4-v6-comp3

Loading.


commit

end

sho run ipv6 access-list test4-v6-comp3

ipv6 access-list test4-v6-comp3

10 permit tcp net-group ng_1 port-group pg_1 net-group ng_2 port-group pg_2




<snip>

<snip>

720 deny udp net-group ng_6 port-group pg_6 net-group ng_5 port-group pg_5




!


ACL Summary:

ACL Summary:



73



<snip>

object-group network ipv6 ng_1

members:

10:1:1::/48

11:1:1::/48

12:1:1::/48

13:1:1::/48

object-group network ipv6 ng_10

members:

10:1:1::/48

100:1:1::/48

101:1:1::/48

102:1:1::/48

<snip>


object-group port pg_1

members:

range 1000 1100

range 2000 2100

<snip>

74





load-interval 30

ipv6 access-group test4-v6-comp3 ingress compress level 3

show controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:

----------------------------------------------------------------

NP Bridge Fia Ports

-- ------ --- ---------------------------------------------------






<snip>

show access-lists ipv6 test4-v6-comp3 hardware ingress resource-usage loc 0/0/cpu0

NP : 3

Rules (ACE) : 78






~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~


DestIP 45 16/16 (of max 240)


DstPort 169 8/8 (of max 240)


75







========================================================================

0 0 0 0 0

1 0 0 0 0

2 0 0 0 0

3 0 78 78 0

4 0 0 0 0

5 0 0 0 0

6 0 0 0 0

7 0 0 0 0

76



<snip>




<snip>




















<snip>

77

ASR 9000 New Scale Features Flexible CLI & Scale...

Documents

Transcript of ASR 9000 New Scale Features Flexible CLI & Scale...