Limitations and restrictions – Cisco 10000 User Manual
Page 63
2-3
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 2 Scalability and Performance
Limitations and Restrictions
Limitations and Restrictions
The Cisco 10000 series router has the following limitations and restrictions for scalability and
performance:
•
When Layer 4 Redirect (L4R) service is applied without Port Bundle Host Key (PBHK) service, the
translations are all done in the PXF, except for those translations that encounter a collision
condition. A collision occurs when a subscriber has two simultaneous TCP connections whose
source ports have the same Modulo 64 result.
For example, the subscriber has an active TCP connection on source port 1026, and while this
connection is still alive the subscriber starts another TCP connection on source port 1090. A
collision is created because the Modulo 64 result for both the source ports (1024 and 1090) is 2. In
this example, L4R translation for the first traffic stream is done in the PXF and for the second TCP
stream the packets are sent to the route processor (RP) where the L4R translation is done. This
seperation prevents collisions.
•
When the PBHK service is applied with L4R service, certain restrictions apply:
–
When the destination IP in any one of the access control entries of the PBHK ACL matches the
redirected server IP address, then both L4R and PBHK translations are done in the RP.
–
When the destination IP address in the access control entries of the PBHK ACL does not match
the redirect server IP address, then L4R translations are done in the PXF, and the packets that
match the PBHK ACL are translated in the RP.
For configuration examples, see the
“Layer 4 Redirect Scaling” section on page 2-4
•
Certain restrictions apply on L4R translations for IP subnet sessions. If two subscribers send TCP
traffic using the same source port, then L4R translation for the common port is done in the RP.
However, if a group of IP subscribers in an IP subnet session send traffic on different source ports
then L4R translations for all the subscribers are done in the PXF.
•
For permanent L4R service, you can scale up to the number of sessions listed in
beyond these sessions can lead to an increase in CPU usage that is beyond the recommended limits.
•
You can apply access control lists (ACLs) to virtual access interfaces (VAIs) by configuring them
under virtual template interfaces. You can also configure ACLs by using RADIUS attribute 11
or 242. Prior to Cisco IOS Release 12.2(28)SB, when you used attribute 242, a maximum of 30,000
sessions could have ACLs; this restriction was removed in release 12.2(28)SB and subsequent
releases.
•
For PRE2, the Cisco 10000 series router supports mini-ACLs (eight or fewer access control entries)
and turbo ACLs (more than eight access control entries) for non-SSG interfaces. The limit for
mini-ACLs is 32,000. The limit for turbo ACLs depends on the complexity of the defined ACLs. For
PRE3, the Cisco 10000 series router does not use mini-ACLs.
•
For SSG (RADIUS) configurations on PRE2, the following limitations apply:
Table 2-3
Scaling Limit of L4R Sessions
Cisco IOS Release
PRE2
PRE3
PRE4
12.2(31)SB
4000
4000
—
12.2(33)SB
4000
16000
16000