HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 5120 : 4Stack and Memory used 75% can insert ACL?

 
SOLVED
Go to solution
jetsettronn
Occasional Advisor

HP 5120 : 4Stack and Memory used 75% can insert ACL?

HP5120, I have 4 Stack and I want to insert ACL for policy deny some TCP/UDP port but I display memory that show used 75%, if I insert ACL that effect with resource of switch.

 

Thank you.

6 REPLIES
VoIP-Buddy
HPE Pro

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

Hi jetsettronn!

As far as ACLs are concerned, the resources that it consumes is in the network chip set with a minimal amount in memory.  I don't think your memory will be an issue.  You may however, have ACL resource limits depending on how you apply the ACL.

Happy New Year!

Regards,

David

 

sdide
Respected Contributor

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

Hi,

I don't have a 5120, but i do have a 5130, and i can say that i did a

]display memory
The statistics about memory is measured in KB:
Slot 1: 
             Total      Used      Free    Shared   Buffers    Cached   FreeRatio
Mem:        903332    323464    579868         0       928    116888       64.3%
-/+ Buffers/Cache:    205648    697684
Swap:           0         0         0

Then i made an ipv6 extended acl of with 200 rules, and applied it to all interfaces and displayed memory again

]display memory
The statistics about memory is measured in KB:
Slot 1: 
             Total      Used      Free    Shared   Buffers    Cached   FreeRatio
Mem:        903332    323712    579620         0       928    117064       64.3%
-/+ Buffers/Cache:    205720    697612
Swap:           0         0         0

the 5130 has around 1Gbyte of memory, and the list took (it seems on the memory)  248k which didn't even matter on the last digit in the "FreeRatio" so I think you'll be fine, unless the 5120 works very differently.

That said. You asked if it will affect the switch resources. I think that might depend on how your ACL looks and where it is applied. Normally on an interface, the ACL is applied in hardware, and should as such not affect the performance, but ACLs applied to vtys and such might be implemted in software and can take resources from the MPU. Also logging events in the ACL needs to be considered for the same reason.

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland
jetsettronn
Occasional Advisor

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

Thank you sir, I will apply ACL and test after that I will inform the result later.

VoIP-Buddy
HPE Pro

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

Søren,

There is a major difference between the two platforms.  5120's run Comware 5, 5130's run Comware 7.  Comware 5 is a proprietary OS, Comware 7 is an extremely locked down Linux.  As a result they work differently.

We'll see what happens when he applies the ACL.

Regards,

David

jetsettronn
Occasional Advisor

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

What is  an extremely locked down Linux? could you please explain about it.

As Comware 5 is a proprietary OS that impact with memory when insert ACL rule many line right?

Thank you.

sdide
Respected Contributor
Solution

Re: HP 5120 : 4Stack and Memory used 75% can insert ACL?

Hi,

Its just two different operating systems. I don't think it matters, in regards to ACL, specifically which ones they are (proprietary or open source) unless you plan to look at the sourcecode, or know exactly how they work.

I still think they both work within reason. That is, if I make an access-list and put it on a interface, that access list is implemented/programmed onto the hardware ASIC controlling the interface, and thereby not stressing the CPU.

An alternate way is to implement the ACL is in software. "Software" meaning, that the each packet needs to be processed by the CPU, hence this does not perform very well if there are lots of packets. Any sane implementation of ACLs on interfaces - on a switch - is done in hardware, (unless you have a CPU you know is up to the task.)

That said, some types of interfaces do not have a specific hardware ASIC asigned to them (could be vty or loopback or other types). Those types of (virtual) interfaces can only have ACL implemted in software (sending packets to CPU), and hence - do not scale well with number of packets .

Would be really nice if HPE clearly stated these features, pr switch-model, in the Configuration guides. 

In the "HP 5120 EI series ACL and QoS Configuration Guide" the following is stated on page "1":

Applications on the switch
An ACL is implemented in hardware or software, depending on the module that uses it. If the module, the
packet filter or QoS module for example, is implemented in hardware, the ACL is applied to hardware
to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web)
for example, is implemented in software, the ACL is applied to software to process traffic.
The user interface access control module denies packets that do not match any ACL. Some modules, QoS
for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding
decisions on the action set in ACL rules. See the specified module for information about ACL application.
 
In the "HPE 5130 HI ACL and QoS Configuration Guide" the same passage states:

Applications on the switch
An ACL is implemented in hardware or software, depending on the module that uses it.
• If the module is implemented in hardware, the ACL is applied to hardware to process traffic.
Example modules are packet filter and QoS.
• If the module is implemented in software, the ACL is applied to software to process traffic.
Example modules are routing and login management.
 
The login management module denies packets that do not match any ACL rule. Some modules (QoS
for example) ignore the action in the matching ACL rule, and they do not base their drop or
forwarding decisions on the ACL rules. For information about how a module uses ACLs, see the
configuration guide or command reference for the module.
 
So basically nothing has changed -  Well, maybe the manual got slightly better. I haven't actaully checked if the guides describing each module states specifically how ACL are implemented. A little overview in the ACL guide would have been nice.
 
Regards
Søren Dideriksen, Network Administrator
Region Midtjylland