Configuring huge access control lists has often been one of the more burdensome administrative tasks for network staff. Nowadays there are som many more devices, computers, servers and even ports which need individual access rights assigned. This useful video shows how the NCS 500 confronts this issue and it’s explained in great detail by a Cisco professional.
Transcript reproduced Below:
Today let’s talk about security on the NCS 5500 and more precisely, let’s talk about what we call hybrid access lists My name is Nicolas Fevrier and I’m a technical leader in Cisco SPBU In a recent article on xrdocs.io, we represented how traditional or flat security access lists were implemented on the NCS 5500 routers. We invite you to check this article if you’re curious to understand how a flat ACL works, where it can be used, where we store the data, what is the scale and many configuration options You can find the link in the description of this video. Today, we will demonstrate the flexibility and the really impressive scalability you can get with another kind of access lists: the hybrid ones. It’s a feature sometimes named Scale ACL or Compressed ACL It’s the same thing. First thing to note, we need a specific hardware architecture to operate it.
That’s why it’s supported on routers and Line Cards based on external TCAM only. They are easily identified by a “-SC” at the end of the product name. Hybrid ACL requires eTCAM and it’s true whether the product is based on Jericho or Jericho+ ASICs. Second thing to note: hybrid ACLs can only be applied in ingress direction and can only be used for ipv4 and ipv6. We will start introducing the concept of object groups For instance network object group and port object groups.
As the name implies, it’s a simple construct made of prefixes or hosts on the one hand and list of ports on the other hand. For example this network object group for my email server contains 17 entries host routes but also networks like /23 /24 /25 but these port object groups contain the ports I want to open for my email servers and they are 8 entries in it. In a traditional, or flat, access list I will need to create one line for each host and prefix and for each one of them I would need to specify the port I want to open. In my case, that will be 17 x 8 that’s 136 lines. With hybrid ACL that can be reduced to just one line With this single line, I’m describing traffic coming from everywhere a every port and targeted to the matrix composed by every combination of the elements of my net-group and port-group With the expanded keyword in this show command, I can verify that indeed it’s 136 entries.
Of course my ACL filter-in can contain 100s of permit and deny lines and they can be based or not on net-group and port-group. Now let’s imagine that I have a new email server in my network. I simply need to edit my object group and add this .157 host address Automatically all the relevant ports are added to it. And the total of entries moves to 144. You understand easily now the flexibility this approach brings in your access list management but I also mentioned scalability and indeed with hybrid ACLs we can create huge filters, thing that wouldn’t be even remotely possible with a flat access list. On one line of ACL entry we can use objects for source and destination, addresses and ports so it’s potentially a 4D matrix. Let’s take a very big example to illustrate that I will use a source of net-group of 500 entries with a port-group of 500 entries also and a destination net-group of 50 entries with port-group of 10 entries.
That single line represents 125 million lines of a flat access list. What does it represent in terms of memory occupation? A part of the ACL will be placed in the eTCAM for instance the destination ports and the rest, the source and destination prefixes and the source ports will be stored in the external TCAM. You can see the numbers in this show command. Something also very important to mention the performance in term of PPS is not impacted by the application of this access list. I invite you to read the blog post for more technical details like the compression or the carving of the eTCAM and actually much more. I hope this was useful don’t hesitate to ask questions or provide your comments we are looking for your feedback. Thanks a lot for watching, see you soon. .
Changing Online IP Addresses – https://thenewproxies.com/ip-address-when-online/
Useful Link on Switch IPs – How to Get an Irish IP Address