Brkarc 3003

ASR 9000 New Scale Features –
Flexible CLI & Scale ACL's

BRKARC-3003
David Pothier - Enterprise Architect, Advanced Services

dpothier@cisco.com
Before we begin . . .
 ASR 9000 Features
- Prior knowledge of ASR 9000 helpful but not required (quick poll)
 Please ask questions – raise your hand
 May defer network specific questions
BRKARC-3003 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• ASR 9000 Overview
• Flexible CLI Overview
• Configuration & Use Cases
• Scale ACL Overview
• Summary
Agenda
• Summary
ASR 9000 Overview
• Cisco ASR 9000 Series Aggregation Services Routers are the foundation for
next-generation Carrier Ethernet networks
• Deploying nV (Network Virtualization) features to optimize service delivery

– nV Satellite
– nV Edge (Cluster)
– VSM (Virtualized Service Model)
• 100Gb End-to-End Solutions
ASR 9000 Models
ASR901/903
ASR 9000v ASR 9001 ASR 9904 ASR 9006 ASR 9010 ASR 9912 ASR 9922
RP None Built-in 1+1 RSP 1+1 RSP 1+1 RSP 1+1 RP 1+1 RP
Fabric None Built-in 2x RSP 2x RSP 2x RSP 6+1 6+1
Line cards & 4x SFP+ 4x SFP+
2 4 8 10 20
ports 44x SFP 2x MPA
Rack units 1 2 6 10 21 30 44
Power modules 1x AC or 2x DC 2x AC or 2x DC 4x AC or 4x DC 4x AC or 4x DC 8x AC or 8x DC 12x AC or 12x DC 16x AC or 16x DC

Air flow Right to left Right to left Right to left Right to back Front to back Front to back Front to back
ASR9K Line Card Architecture Overview RSP 3 Switch
Fabric
PHY NP0 CPU
PHY NP1 B0 4x23G

FIA0
PHY NP2 B1
PHY NP3
A9K-4T Switch
Fabric
RSP0
3x10GE 3x 10G CPU
SFP + NP0
3x10GE 3x 10G
NP1
FIA0
SFP +
3x10GE 3x 10G
NP2
Fabric ASIC
Switch
SFP +
3x10GE 3x 10G
NP3
FIA1 Switch
SFP + 8x55G Fabric
3x10GE 3x 10G
SFP + NP4 RSP1
3x10GE 3x 10G FIA2
SFP + NP5
3x10GE 3x 10G
SFP + NP6
3x10GE 3x 10G FIA3
SFP + NP7
BRKARC-3003 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Ethernet Network
Mobile
Access Carrier Ethernet Aggregation Edge Multiservice Core
RAN Access Aggregation
2G/3G/4G Node
Network Node  EoMPLS
MPLS/IP  VPLS
Business VoD TV SIP
Corporate  Distribution
nV
Aggregation Node
Node Content Network
Residential
Aggregation Network
MPLS/IP Core Network
STB
IP / MPLS
Business Content Network
Corporate DSLNode Aggregation
Node Distribution VoD TV SIP
Node
Aggregation
Residential Node
PON Node
STB
What’s ASR 9000 nV Edge System ?
Leverage existing IOS-XR

CRS multi-chassis SW
infrastructure
Fabric Simplified/Enhanced for
chassis ASR 9000 nV Edge
CRS Multi-Chassis ASR 9000 nV Edge

Single control plane, single management plane, fully distributed
Super, Simple network resiliency, and extensible node
Agenda
• Summary
ASR 9000 Flexible CLI Overview
• What problem are we solving ?
• Supported Platforms
• Phased Implementation
Problem Statement
• IOS XR platforms’ features continue to grow
• Running configurations have grown significantly (mid-to-high end platforms)
High level goals

• reduce config complexity and size
• reduce operational errors & misconfigurations
• reduce repetition configurations
Supported on IOS XR Platforms
• ASR9K & CRS
• XR12K is not supported
• Original target platform was ASR9K, CRS was added per customer
requests
Phased Implementation
• Phase I 4.3.1 FlexCLI Feature introduced
• Phase II 5.1.1 Additional FlexCLI features
IOS XR System Configuration Database
router ospf 10
area 0
int TenGigE0/1/0/0
Cost 1000
int TenGigE0/1/0/1
Cost 1000
int TenGigE0/1/0/2
Cost 1000
int HundredGig 0/0/0/0
mtu 9000
int HundredGig 0/0/0/1
mtu 9000
• IOS XR config is stored in a binary database that looks like a tree

• some configurations often have the same entries/values repeated
IOS XR Flexible CLI Overview
Configuration Groups
FlexCLI uses a config-group concept where it is a sub tree config that:
• is syntactically correct / validated

• is fully defined (i.e. starts from the root)
• can be applied at arbitrary levels of the config (sub modes)
• can use regular expressions
• automatic inheritance in hierarchical fashion
IOS XR Flexible CLI Overview
router ospf
area ‘.*’
int ‘TenGigE0/1/0/0’
Cost 1000
Cost 1000
cost 1000
int ‘HundredGiG.*’
mtu 9000
• Same tree which would contain regular expression
Agenda
• Summary
IOS XR Flexible CLI – Configuration and Use cases
New CLI (group, end-group, apply-group Phase I - 4.3.1)
config t
group <group name>
config commands
end-group
config t
interface tengig 0/0/0/0
apply-group <group name>
commit
New CLI (show commands Phase I - 4.3.1)
• show running-config group <group-name>
• show running-config inheritance interface r/s/m/p
• inheritance – config groups can be applied at different levels of

hierarchy. Therefore “inheritance” of group configuration, can also
happen at different levels of the configuration.
• inheritance can be overridden, by local CLI commands, at the lowest

submode
Example: basic
RP/0/RSP0/CPU0:ASR9K#show run group GigCE
group GigCE
1)configure a group interface 'GigabitEthernet.*'
mtu 1526
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1

2)apply the group interface GigabitEthernet0/1/0/1
apply-group GigCE
RP/0/RSP0/CPU0:ASR9K#show run inheritance interface

GigabitEthernet0/1/0/1
3)show run inheritance interface GigabitEthernet0/1/0/1
## Inherited from group GigCE
mtu 1526
4)MTU is inherited RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 |

i MTU
MTU 1526 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)
Example: local config overrides inheritance config
RP/0/RSP0/CPU0:ASR9K#show run group GigCE
group GigCE
1)configure a group interface 'GigabitEthernet.*'
mtu 1526
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1

2)apply the group interface GigabitEthernet0/1/0/1
apply-group GigCE
configure diff. MTU mtu 1518
RP/0/RSP0/CPU0:ASR9K#show run inheritance interface

GigabitEthernet0/1/0/1
3)show run inheritance interface GigabitEthernet0/1/0/1
mtu 1518
4)MTU is not inherited RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU

MTU 1518 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)
overridden at interface
New CLI: multiple groups can be applied
“up and right” is the rule…

• lowest (most specific) config takes precedence within any level,
• first group applied takes precedence
in the following example:
“ONE” has the highest priority
“SEVEN” has the lowest…
apply-group SIX SEVEN

router ospf 0
apply-group FOUR FIVE
area 0
apply-group THREE
interface GigabitEthernet0/0/0/0
apply-group ONE TWO
New CLI (multiple groups can be applied)
“up and right” is the rule…
• lowest (most specific) config takes precedence within any level,
• first group applied takes precedence
group GigCE-1526
interface GigabitEthernet0/1/0/1
interface
A apply-group GigCE-1526 GigCE-1400
'GigabitEthernet.*'
mtu 1518
mtu 1526
what is the MTU ? end-group
interface GigabitEthernet0/1/0/1 group GigCE-1400

B apply-group GigCE-1526 GigCE-1400 interface
'GigabitEthernet.*'
what is the MTU ? mtu 1400
end-group
Common use cases:
• Interface parameters
• Routing instance parameters
• MPLS-TE interface parameters
• L2VPN interface parameters
Common use cases: Interface parameters
group 10GE-intf-bundle interface TenGigE0/2/0/14

interface 'TenGigE0/2/0/.*'
lacp period short apply-group 10GE-intf-bundle
load-interval 30 bundle id 200 mode active
transceiver permit pid all
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface TenGigE0/2/0/14 inheritance detail

interface TenGigE0/2/0/14
bundle id 200 mode active
## Inherited from group 10GE-intf-bundle
lacp period short
load-interval 30
transceiver permit pid all
Common use cases: Interface parameters
group 10GE-Bundle interface Bundle-Ether200
interface 'Bundle-Ether.*' apply-group 10GE-Bundle
mtu 9216
ipv4 mtu 9000 ipv4 address 10.1.1.1/24
ipv4 point-to-point
ipv6 mtu 9000
load-interval 60
end-group
RP/0/RSP0/CPU0:ASR9K#show run interface bundle-ether 200 inheritance detail

interface Bundle-Ether200
## Inherited from group 10GE-Bundle
mtu 9216
ipv4 mtu 9000
ipv4 point-to-point
ipv4 address 192.192.1.25 255.255.255.0
ipv6 mtu 9000
load-interval 60
Common use cases: Routing Instance parameters
group ISIS router isis Core1
router isis 'Core1' set-overload-bit on-startup wait-for-bgp level 2
is-type level-2-only
interface 'Bundle-Ether.*' net 49.0005.0049.1997.0000.1002.00
circuit-type level-2-only nsf ietf
point-to-point log adjacency changes
hello-password keychain secure-isis address-family ipv4 unicast
address-family ipv4 unicast metric-style wide level 2
metric 10
metric 500 maximum-paths 32
end-group !
apply-group ISIS
RP/0/RSP0/CPU0:ASR9K#show run router isis Core1 inheritance detail

router isis Core1
set-overload-bit on-startup wait-for-bgp level 2
<snip>
## Inherited from group ISIS
circuit-type level-2-only
point-to-point
hello-password keychain secure-isis
address-family ipv4 unicast
metric 500
Common use cases: MPLS-TE interfaces
group TUNNEL RP/0/RSP0/CPU0:ASR9K#show run inter tunnel-te1000 inheritance detail
interface 'tunnel-te.*'
ipv4 unnumbered Loopback0 interface tunnel-te1000
load-interval 30 description DC EAST-WEST Northbound
logging events lsp-status reoptimize ## Inherited from group TUNNEL
logging events lsp-status state ipv4 unnumbered Loopback0
logging events lsp-status reroute ## Inherited from group TUNNEL
load-interval 30
logging events lsp-status insufficient-bandwidth ## Inherited from group TUNNEL
autoroute announce logging events lsp-status reoptimize
! ## Inherited from group TUNNEL
fast-reroute logging events lsp-status state
path-protection ## Inherited from group TUNNEL
logging events link-status logging events lsp-status reroute
! ## Inherited from group TUNNEL
end-group logging events lsp-status insufficient-bandwidth
## Inherited from group TUNNEL
autoroute announce
!
fast-reroute
path-protection
path-option 10 dynamic attribute-set EAST protected-by 20
path-option 20 dynamic attribute-set WEST protected-by 10
interface tunnel-te1000 path-option 30 dynamic attribute-set CORE
apply-group TUNNEL ## Inherited from group TUNNEL
description DC EAST-WEST Northbound logging events link-status
path-option 10 dynamic attribute-set EAST protected-by 20
path-option 20 dynamic attribute-set WEST protected-by 10
path-option 30 dynamic attribute-set CORE
Common use cases: L2VPN
group l2vpn
l2vpn
pw-class 'test'
encapsulation mpls
ipv4 source 1.2.3.4 RP/0/RSP0/CPU0:ASR9K#show run inheritance l2vpn
! l2vpn
! pw-class test
!
end-group ## Inherited from group l2vpn
end encapsulation mpls
## Inherited from group l2vpn
ipv4 source 1.2.3.4
!
!
!
l2vpn
pw-class test
apply-group l2vpn
!
!
Common use cases: L2VPN
RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10 inheritance detail
group test1 ## Inherited from group test1
interface 'TenGig.*' description flexcli test
ipv4 address 12.0.1.3 255.0.0.0
description flexcli test !
!
interface 'TenGig.*\..*' l2transport RP/0/RSP0/CPU0:ASR9K#sho run int TenGigE0/2/0/10.100 inheritance detail
rewrite ingress tag pop 1 symmetric interface TenGigE0/2/0/10.100 l2transport
mtu 1518 encapsulation dot1q 100
## Inherited from group test1
! rewrite ingress tag pop 1 symmetric
end-group ## Inherited from group test1
mtu 1518
RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10

apply-group test1
cdp
ipv4 address 12.0.1.3 255.0.0.0
!
RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10.100

interface TenGigE0/2/0/10.100 l2transport
apply-group test1
encapsulation dot1q 100
ASR9K/CRS/NCS – Internet Usage
1 billion – PSY’s Gangnam Style video became the first online video to reach 1 billion
views and achieved it in just 5 months.
http://www.guinnessworldrecords.com/news/2012/9/gangnam-style-now-most-liked-video-in-youtube-history-44977/
Data Traffic Reference
• 1 Byte: A single character (1)
• 1 Kilobyte: Half a typewritten page (1,024 bytes)
• 1 Megabyte: A short novel (1024 kilobytes)
• 1 Gigabyte: A movie at TV quality (1024 megabytes)
• 1 Terabyte: About half the content of an academic research library (10 terabytes: the printed
collection of the US Library of Congress). (1 trillion bytes)
• 1 Petabyte: About half the content of all U.S. academic research libraries (1 million gigabytes)
• 5 Exabytes: All words ever spoken by human beings. (5 billion gigabytes)
• 1 Zettabyte: About half of the information sent through broadcast technology (such as TV and
GPS) in 2007. (1 trillion gigabytes)
• Yottabyte (1 000 000 000 000 000 000 000 000 Bytes). Named after Yoda.
• Xenottabytes (1 000 000 000 000 000 000 000 000 000 Bytes)
• Shilentnobytes (1 000 000 000 000 000 000 000 000 000 000 Bytes)
• Domegemegrottebytes (1 000 000 000 000 000 000 000 000 000 000 000 Bytes).
• Icosebyte (1 000 000 000 000 000 000 000 000 000 000 000 000 Bytes).
• Monoicosebyte (1,000,000,000,000,000,000,000,000,000,000,000,000,000 Bytes
Agenda
• Summary
ASR 9000 IOS XR Scale ACL Overview
ASR 9000 ACL’s before Scale ACL feature:
• TCAM based architectures to perform ACL classification for security &
filtering ACL’s and ACL based QoS classification
• TCAM based implementations offer extremely high speed and

deterministic lookups, but are poorly suited for very large rule sets
• Repetition of rules in similar ACE’s.
• Large TCAM space requirements in scaled scenario’s
ASR 9000 IOS XR Scale ACL Overview
TCAM based ACL’s:
• Essentially custom memory that takes a lookup key and mask, and
returns a result. (TCAM “rule” or “Value Mask Result”)
ASR 9000 Scale ACL Configuration improvements:
• Easier and friendlier to use “sets” of objects when building rules....
– This:
– Set A = (j,k,l,m) Set B = (w,x,y,z)
– permit ipv4 (set A) (set B)
– Is easier on the eyes than this:

– permit host j host w
– permit host k host w
– permit host l host w
– permit host m host w
– permit host j host x
– permit host k host x
– And so on... (4x4 would be 16 rules... Imagine 100x400x20!)
Scale ACL Object-group's
• As we talk about “object-groups” on the next slides – think of them analogous to
creating a prefix-set, which an IOS XR RPL route-policy then calls into function
within the route policy
• ACL’s will call into function various “object groups”
Scale ACL Object-group CLI
• Network groups to define a set of prefixes
– Prefixes, hosts, range of prefixes,
– Nested groups
• Port groups to define a set of ports

• Port entries, and operators
• Nested groups
– Supported for both IPv4 and IPv6

– ACE entries in an ACL support both specifying object group names and individual
traditional entries
Scale ACL Configuration CLI
1) Create an object-group (either network or port, or both)
2) Create the access-list
3) Enter the ACL permit or deny entries, using net-group or port-group syntax
Scale ACL Configuration
Example:
object-group network ipv4 SRC_1 object-group network ipv4 DEST_1

10.10.1.0/24 30.30.0.0/16
host 10.10.1.100 host 30.30.1.100
object-group port PORT_1

eq telnet
range 1024 65535
ipv4 access-list scale

10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1
Scale ACL Configuration
Example:
Current CLI new Scale object-group CLI
ipv4 access-list acl1 object-group network ipv4 site-east

10 permit tcp host 1.1.1.1 host 10.10.10.1 eq ftp 1.1.1.1/32
40 permit tcp host 1.1.1.1 host 10.10.10.1 eq domain !
50 permit tcp host 1.1.1.2 host 10.10.10.1 eq domain object-group port site-west-portgroup1
60 permit tcp host 1.1.1.3 host 10.10.10.1 eq domain eq ftp
70 permit tcp host 1.1.1.1 host 10.10.10.1 lt 1024 eq domain
80 permit tcp host 1.1.1.2 host 10.10.10.1 lt 1024 lt 1024
90 permit tcp host 1.1.1.3 host 10.10.10.1 lt 1024 range 2400 2500
100 permit tcp host 1.1.1.1 host 10.10.10.1 range 2400 2500 !
110 permit tcp host 1.1.1.2 host 10.10.10.1 range 2400 2500
120 permit tcp host 1.1.1.3 host 10.10.10.1 range 2400 2500 ipv4 access-list acl1
! 10 permit tcp net-group site-east host 10.10.10.1
port-group site-west-portgroup1
!
Scale ACL CLI syntax
RP/0/RSP0/CPU0:ASR9K(config)#object-group network ipv4 <name> ?
A.B.C.D/length IPv4 address/prefix
description Description for the object group
host A single host address
object-group Nested object group
range Range of host addresses
<cr>
RP/0/RSP0/CPU0:ASR9K(config)#object-group port test ?
description description for the object group
eq Match packets on ports equal to entered port number
gt Match packets on ports greater than entered port number
lt Match packets on ports less than entered port number
neq Match packets on ports not equal to entered port number
object-group nested object group
range Match only packets on a given port range
<cr>
ACE syntax
{ipv4 | ipv6} access-list <name>
10 permit tcp net-group <name> net-group <name> port-group <name> [options]
Scale ACL CLI syntax
• Hybrid mode ACE lines are allowed.
• For example: can use object-group in source field, and individual address/prefix in destination field.
• Can have ACEs with object group and ACEs without object groups in the same ACL
ipv4 access-list scale

10 permit tcp net-group SRC_1 net-group DEST_1 port-group PORTS_1
20 permit icmp 10.10.1.0/24 host 192.168.1.100 echo
30 permit icmp 10.10.1.0/24 host 192.168.10.100 echo
Scale ACL - Compression
• Can apply ACL on interface with a choice to select compression level in HW
• Compression level translates to which fields from (src,dst, src port, dest port)
should be programmed in TCAM in compressed format.
• More compression means less TCAM space, but extra lookups in NP. This is a
trade off between TCAM memory usage versus line rate performance.
• Config option to enable compressed format on per interface basis.
• 3 levels of compression supported (0,1,3) with 3 being the best compression &
scale capabilities but the worst NP performance hit
• Can support only one compression mode of an ACL on a given LC

– Once an ACL is applied with a compression level on an interface, it can be applied with
the same compression level on other interfaces on same LC.
– you cannot mix different compression levels on the same LC
• There are 3 available compression levels for a scaled ACL.
• level 0 simply expands the object groups and dumps into TCAM.
– identical performance to legacy ACL
– more convenient configuration
• level 1 compresses only the source prefix object-groups
– smallest performance hit, but still very high scale
• level 3 compresses both Source & Destination, network and port groups
– higher performance reduction, large scale improvements
• generally speaking: use the least compression that fits(better performance)
– “more flexibility” to trade performance vs. scale vs. cost
– Note: –SE cards have much larger TCAMs than –TR cards
Scaled ACL - Counters
• In hardware, each TCAM entry points at a counter.
• Regardless of legacy vs. scale object-group config, each configured ACE will
have one counter associated.
• Scaled ACL allows you to combine many rules into a single ACE, which also
becomes a single counter.
• Still order-dependent, so use sequence numbers...
Scale ACL – Ipv4 example
show run ipv4 access-list test1
ipv4 access-list test1
10 permit ipv4 any any
10 permit ipv4 any any (this is 1 TCAM entry)

(implicit deny) (this is 1 TCAM entry
Scale ACL – IPv4 example
show run interface ten0/0/0/11
ipv4 access-group test1 ingress
show controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0, TenGigE0/0/0/1, TenGigE0/0/0/2
<snip>
show access-lists test1 hardware ingress resource-usage loc 0/0/cpu0

NP : 3
Rules (ACE) : 2
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2 ( 96k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
show pfilter-ea fea summary loc 0/0/cpu0

******** NP Resource Usage Summary ************
Chan # 144-bit TCAM Entries 576-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 2 0 2 0
4 0 0 0 0
Scale ACL – v4 example – test1
show prm server tcam summary all acl all loc 0/0/cpu0
<snip>
TCAM summary for NP3:
TCAM Logical Table: TCAM_LT_L2 (1)

Partition ID: 0, priority: 2, valid entries: 3, free entries: 317
<snip>
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 89273, resvd 128
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IPV4_ACL (2)
Total: 1 vmr_ids, 2 active entries, 2 allocated entries.
Application ID: NP_APP_ID_ACL_IPV6 (2)
Agenda
• Summary
Summary for today's session:
• Reduce large ASR 9000 IOS XR configurations using (FlexCLI + ScaleACL)
• Take advantage of IOS XR FlexCLI to reduce and re-use common

configurations
• Scale ACL - Security is top most requirement - reduce large ACL

configurations
• Take advantage of Scale ACL to reduce large configuration and take
advantage of the ability to re-use security stanzas
• Please contact me direct if you have questions on FlexCLI or ScaleACL

configurations or issues. My direct email is dpothier@cisco.com. We will
be glad to help. Thank you for attending today's session.
References
ASR9K Configuration Guides Cisco.com
http://www.cisco.com/en/US/products/ps5845/products_installation_and_configuration_guides_list.html
ASR9K Master Command Reference Cisco.com

http://www.cisco.com/en/US/products/ps5845/products_product_indices_list.html
ASR9K Cisco Support Forum Documents

https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=documents
ASR9K Cisco Support Forum – Feature order of Operations

https://supportforums.cisco.com/docs/DOC-32025
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle @dpothier
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
• Complete your session evaluation
through the Cisco Live mobile app
or visit one of the interactive kiosks
located throughout the convention
center.
Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
Scale ACL – v4 example – test2 – compression L 1
config t
load ftp://user:password@8.25.0.207/acl/test2-comp1
Loading.
20073 bytes parsed in 1 sec (20052)bytes/sec
commit
end
show run ipv4 access-list test2-comp1

ipv4 access-list test2-comp1
10 permit tcp net-group net_group_1 net-group net_group_1 port-group port_group_1
30 permit tcp net-group net_group_1 port-group port_group_1 net-group net_group_1
40 permit tcp net-group net_group_1 port-group port_group_2 net-group net_group_1
<snip>
450 permit tcp net-group net_group_39 10.0.0.0/8 port-group port_group_22
460 permit tcp net-group net_group_12 net-group net_group_40 eq ssh
470 permit tcp net-group net_group_40 eq ssh net-group net_group_12
show access-lists ipv4 summary

ACL Summary:
Total ACLs configured: 1
Total ACEs configured: 47
show object-group network ipv4 ?
| Output Modifiers
net_group_1 Object group name
<snip>
<snip>
show object-group port ?

| Output Modifiers
port_group_1 Object group name
<snip>
<snip>
show run interface ten 0/0/0/11
load-interval 30
ipv4 access-group test2-comp1 ingress compress level 1
sho controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
7 <snip>
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0

NP : 3
Rules (ACE) : 47
Fields compressed : SrcIP
Fields Prefix count Bit width/rounded
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 579 15/16 (of max 32)
Total no. of bits used = 16 (of max 32) for compressed fields
RP/0/RP0/CPU0:ASR9K#show pfilter-ea fea summary loc 0/0/cpu0
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 11618 0 47 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
<snip>

<snip>
show prm server tcam summary all acl all loc 0/0/cpu0 | i active entries
<snip>
Scale ACL – v4 example – test2 – comparison
compression L 1 versus 3
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 1)
NP : 3
Rules (ACE) : 47
Fields compressed : SrcIP
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
show access-lists test2-comp1 hardware ingress resource-usage loc 0/0/cpu0 (Level 3)
NP : 3
Rules (ACE) : 47
Fields compressed : SrcIP, DstIP, SrcPort, DstPort
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
DestIP 381 14/16 (of max 240)
SrcPort 99 10/16 (of max 240)
DstPort 109 13/16 (of max 240)
Scale v4 ACL test 3
• Some notes on the following large ACL test
• approx 4800 object-groups:
– 4000 network groups with ~20k total pfx/masks
– 800 port groups, ~1750 port statements, 200 ranges
• ~3000 access list entries
– virtually all of them call multiple object groups
• would expand out to approx. 17 million individual ACL entries if you had to write
it with legacy ACL CLI
config t
load ftp://user:password@8.25.0.207/acl/test3-comp3
Loading....................
commit
end
show run ipv4 access-list test3-comp3

ipv4 access-list test3-comp3
10 permit icmp net-group parent_src_grp_1 net-group parent_src_grp_1
20 permit udp any net-group parent_dst_grp_2
30 permit udp any net-group DCC_SBS_NEW_ORDER
40 permit udp net-group DCC_GLOBAL_PROD net-group SP_GLOBAL_PROD_3
<snip>
35090 permit tcp net-group DCC_CSE_CORP_CRPSRVENG_101 port-group src_port_grp_11 net-group
DCC_OPS_QA_EAST_MAIN port-group dst_port_grp_NY
35230 permit udp net-group SRC_SP1_SUPERNETS_5 net-group DCC_OPS_SP1_SYSLOG_SJ port-group
dst_port_grp_55
35240 permit tcp net-group SRC_DCA_ADX_SP1_EAST_CLIENTS_1782 port-group src_port_grp_11 net-
group DCC_OPS_SP1_SYSLOG_EAST_3145 port-group dst_port_grp_3524

ACL Summary:
object-group network ipv4 DCC_EAST_SP1_DCC_SERVERS
members:
192.168.1.84/30
192.168.10.112/31
192.168.100.120/31
<snip>
<snip>
object-group network ipv4 parent_dcc_grp
members:
object-group DCC_OPS_NTP_TIER1
object-group DCC_SP1_SUPERNETS

<snip>
<snip>
object-group port src_port_grp_WEST

members:
eq 111
range 1024 65535
load-interval 30
ipv4 access-group test3-comp3 ingress compress level 3
sho controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
7 <snip>
show access-lists test3-comp3 hardware ingress resource-usage loc 0/0/cpu0

NP : 3
Rules (ACE) : 2998
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
SourceIP 20763 202/208 (of max 240)
DestIP 5317 57/64 (of max 240)
DstPort 1049 155/160 (of max 240)
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 5673 0 2998 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
<snip>

<snip>
<snip>
<snip>
load ftp://user:password@8.25.0.207/acl/test4-v6-comp3
Loading.
commit
end
sho run ipv6 access-list test4-v6-comp3

ipv6 access-list test4-v6-comp3
10 permit tcp net-group ng_1 port-group pg_1 net-group ng_2 port-group pg_2
<snip>
<snip>
720 deny udp net-group ng_6 port-group pg_6 net-group ng_5 port-group pg_5
!
ACL Summary:
ACL Summary:
<snip>
object-group network ipv6 ng_1
members:
10:1:1::/48
11:1:1::/48
12:1:1::/48
13:1:1::/48
object-group network ipv6 ng_10

members:
10:1:1::/48
100:1:1::/48
101:1:1::/48
102:1:1::/48
<snip>

object-group port pg_1
members:
range 1000 1100
range 2000 2100
<snip>
load-interval 30
ipv6 access-group test4-v6-comp3 ingress compress level 3
show controller np ports all loc 0/0/cpu0

Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
<snip>
show access-lists ipv6 test4-v6-comp3 hardware ingress resource-usage loc 0/0/cpu0
NP : 3
Rules (ACE) : 78
~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
DestIP 45 16/16 (of max 240)
DstPort 169 8/8 (of max 240)
========================================================================
0 0 0 0 0
1 0 0 0 0
2 0 0 0 0
3 0 78 78 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
<snip>

<snip>
<snip>

Brkarc 3003

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brkarc 3003

Hochgeladen von

Copyright:

Verfügbare Formate

ASR 9000 New Scale Features –

Flexible CLI & Scale ACL's

David Pothier - Enterprise Architect, Advanced Services

• Deploying nV (Network Virtualization) features to optimize service delivery

• 100Gb End-to-End Solutions

Power modules 1x AC or 2x DC 2x AC or 2x DC 4x AC or 4x DC 4x AC or 4x DC 8x AC or 8x DC 12x AC or 12x DC 16x AC or 16x DC

PHY NP0 CPU

PHY NP1 B0 4x23G

Leverage existing IOS-XR

CRS Multi-Chassis ASR 9000 nV Edge

Super, Simple network resiliency, and extensible node

High level goals

• Phase I 4.3.1 FlexCLI Feature introduced

• Phase II 5.1.1 Additional FlexCLI features

int HundredGig 0/0/0/1

• IOS XR config is stored in a binary database that looks like a tree

FlexCLI uses a config-group concept where it is a sub tree config that:

• is syntactically correct / validated

• Same tree which would contain regular expression

• inheritance – config groups can be applied at different levels of

• inheritance can be overridden, by local CLI commands, at the lowest

RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1

RP/0/RSP0/CPU0:ASR9K#show run inheritance interface

4)MTU is inherited RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 |

RP/0/RSP0/CPU0:ASR9K#show run interface GigabitEthernet0/1/0/1

RP/0/RSP0/CPU0:ASR9K#show run inheritance interface

4)MTU is not inherited RP/0/RSP0/CPU0:PR-ASR9K-4#show interface GigabitEthernet0/1/0/1 | i MTU

“up and right” is the rule…

apply-group SIX SEVEN

interface GigabitEthernet0/1/0/1 group GigCE-1400

• Routing instance parameters

• MPLS-TE interface parameters

• L2VPN interface parameters

group 10GE-intf-bundle interface TenGigE0/2/0/14

RP/0/RSP0/CPU0:ASR9K#show run interface TenGigE0/2/0/14 inheritance detail

RP/0/RSP0/CPU0:ASR9K#show run interface bundle-ether 200 inheritance detail

RP/0/RSP0/CPU0:ASR9K#show run router isis Core1 inheritance detail

RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10

RP/0/RSP0/CPU0:ASR9K#show run int TenGigE0/2/0/10.100

• TCAM based implementations offer extremely high speed and

• Repetition of rules in similar ACE’s.

• Large TCAM space requirements in scaled scenario’s

– Is easier on the eyes than this:

• ACL’s will call into function various “object groups”

• Port groups to define a set of ports

– Supported for both IPv4 and IPv6

2) Create the access-list

object-group network ipv4 SRC_1 object-group network ipv4 DEST_1

object-group port PORT_1

ipv4 access-list scale

Current CLI new Scale object-group CLI

ipv4 access-list acl1 object-group network ipv4 site-east

ipv4 access-list scale

• Config option to enable compressed format on per interface basis.

• Can support only one compression mode of an ACL on a given LC

• Still order-dependent, so use sequence numbers...

10 permit ipv4 any any (this is 1 TCAM entry)

show controller np ports all loc 0/0/cpu0

show access-lists test1 hardware ingress resource-usage loc 0/0/cpu0

show pfilter-ea fea summary loc 0/0/cpu0

TCAM Logical Table: TCAM_LT_L2 (1)

• Take advantage of IOS XR FlexCLI to reduce and re-use common

• Scale ACL - Security is top most requirement - reduce large ACL

NP Resource Usage Summary ****

NP Resource Usage Summary ****

NP Resource Usage Summary ****

NP Resource Usage Summary ****