Posted by: Richard @ | October 10, 2008


Hi All,

I have to admit that I’ve been an awful blogger recently L (sorry!), I’m hoping to improve things in the near future – since starting @ Cisco I have been studying in sporadic spells of time instead of a fixed 2 hrs each evening which in-turn has caused me to neglect this blog…

Anyway, I’ve got a few little things to update you on:

1) I’ve been tasked with becoming a “semi-specialist” in UC by my manager – this is due to a need for additional LGov UC resource.  What this means as far as I’m concerned is that I have a much bigger gap in knowledge to fill (compared to R&S) and therefore any spare time I have during the working day will more than likely be spent trawling through endless docs and labs making sure I’m up-to the standard I would expect if I were a customer – on a business and technical level that is.  It’s a challenge I’m ready for and I always welcome additional knowledge to store in my memory banks.  It has been said to me in the past that Cisco tends to keep employees outside of their comfort zone – I have a feeling that this also contributed to the decision on what my specialisation will be…  Just to clarify – I do still have the full support of Cisco for my R&S CCIE quest J

2) David Bombal has continued the development of the Command Memorizer tool – it was already a great learning aid and his commitment to the development of it is great to see.  A number of other bloggers in the community have now used the software and some reviews are linked on the product page.

3) A new consolidated source for Enterprise Technical content has been launched on – it’s called “Design Zone”.  It’s organized around Network Architectures, Technologies and Vertical Industries and brings Cisco Validated Designs, legacy design guides and SRNDs, white papers, podcasts, videos together in one place – check it out @

4) I received an e-mail whilst in the office announcing that Solarwinds Real Time Netflow Analyzer is now free – a great tool to get started with Netflow…

5) From another e-mail –> Ever wanted to search, the IOS bug database, or the command lookup tool from the search box in IE or Firefox? –> add the Searches and Tools to Your Browser (instructions are included)

6) Another e-mail –> CCIE SP Mini-Scenarios by Antonio Soares – definitely worth taking a look at if you’re studying or interested in the CCIE SP track

7) I’ve been fortunate enough to come across some great presentations (with audio) down one of the dark corridors of the intranet here at Cisco.  I have watched some advanced (some of it is very advanced!) breakdowns of “Spanning Tree”, “MLS QoS”, and “RACLs/VACLs/PVLANs” – I’m very confident with Spanning Tree and the presentation confirmed that I should be able to deal with any STP tasks thrown at me in the exams, I did however learn one or two new things from the “MLS QoS” and “RACLs/VACLs/PVLANs” breakdowns.
I thought it would be nice to share some ACL theory with you to see whether it is known/used in the wild by anyone?  If not, and you’re currently studying towards the CCIE R&S, I just know you’ll be really happy with me for introducing you to some extremely technical non-blueprint information after reading this J

Let’s start with a simple “Yes or No” question:

Q) You’ve just added an ACE to an ACL and now your being told that your switch’s TCAM is full, will the ACE still be added and processed by the switch?






Yes, the route processor will process the ACE after the rest of the ACL has been handled by the TCAM

Relatively easy if you’ve read a bit about the subject.  Now, let’s get deep into ACLs, and how they affect hardware resources…

Take a look at the following configuration on a 6500:

10  access-list 101 permit udp range 16384 32767 range 16384 32767
20  access-list 101 permit udp range 16384 32767 range 16384 32767
30  access-list 101 permit udp host eq 53
40  access-list 101 permit udp host eq 53
50  access-list 101 permit tcp eq 80
60  access-list 101 permit tcp eq 22
70  access-list 101 permit tcp gt 1023
80  access-list 101 permit tcp eq 22
90  access-list 101 permit tcp host eq 443

Q1) How many “Mask Patterns” exist in the ACL?
Q2) How many “Mask Slots” will the ACL below consume in the TCAM?
Q3) How many “L4 Ops” are in the ACL?
Q4) How many “LOUs” does the ACL populate?





A “Mask Pattern” is a unique mask length in an ACL.  The unique masks from the ACL above are,,,,,,,, and (“host”), and therefore, 9 “Mask Patterns” exist.

A “Mask Slot” stores Mask Patterns.  Each slot has space to hold 8 patterns and slots are created each time space runs out (i.e. 8 patterns = 1 slot, 9 patterns = 2 slots, 16 patterns = 2 slots, 17 patterns = 3 slots etc etc) .  The number of slots used by the ACL above is therefore 2 –> The 9th pattern triggered the 2nd slot.

A “L4 Op” (“Layer 4 Operation”) is an occurrence of a “gt”, “lt”, “neq”, or “range” keyword in an ACL – all of which require some level of software processing.  eq” is not included as they are dealt-with by hardware.  If the same L4 Op occurs at the same point of two ACEs it only counts as 1 L4 Op (e.g. see lines 10 vs 20 – “range 16384 32767” = 2 Ops and not 4).  The answer to this question is 3 – in lines 10, 20,  and 70.

A “LOU” (“Logical Operation Unit”) stores L4 Ops.  Each LOU is made-up of two hardware registers.  ACEs that include a “gt”, “lt”, or “neq” consume 1/2 LOU, whereas the “range” keyword consumes one full LOU.  The LOU registers are system wide, the number available is platform independent, they are shared between ACLs and QoS, and if all LOUs are populated additional ACEs are processed entirely in software.  The number of LOUs populated by the ACL above = 2.5 –> 1 + 1 + 0.5

Believe me, that stuff is the just tip of the iceberg!  And my explanations probably don’t tell you everything you need to know to understand what’s going-on.  The general rule is that a hardware limit for each one of the items above exists, and software will be used after the limit has been reached (possibly affecting perfomance).  For more information click here.

8- After having a few questions fired at me by Channel Partners and Customers during my first few days on the job I realised that the answers might be of use to the readers of this blog, here a couple, I’ll try to publish the interesting/useful ones as they come along:

Q1) “Is it possible to field upgrade a Cat 6509 chassis to a 6509-E. Reason for doing this is to install a SUP-720-10G initially with a view to implementing VSS next year. Looking on CCO it says SUP-720-10G is supported in a 6509 chassis but doesn’t confirm this will work with VSS?

After a chat this was translated to:
“Will the VSS SUP720 work in the standard 6509, and if the answer is yes, can a VSL (VSS) be created between a standard 6509 and a 6509E?”

Yes and Yes: “From a chassis perspective, both E-Series chassis and non E-Series chassis are supported within a Cisco Virtual Switching System environment, with the exception of the Cisco Catalyst 6503 (non E-Series) and Cisco Catalyst 6509-NEB”
“It should be noted that there is no requirement that the two members of the Cisco Virtual Switching System use the same chassis type. The members consisting of the Cisco Virtual Switching System can be different chassis with varying slot counts”

Q2) “The Unified Communications 500 series ‘Baby Call Manager’ – does this support 7941, 7911 & 7921 wireless handsets. The data sheet suggests it does but I’ve got people telling me it doesn’t. Was hoping you could clarify??”

Yes, it does support “standard” Cisco UCM compatible phones


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: