[c-nsp] ACL tuning
bill fumerola
billf at mu.org
Tue Mar 11 21:01:05 EDT 2008
On Wed, Mar 05, 2008 at 10:21:54AM -0500, Justin M. Streiner wrote:
> I don't know if it's an absolute requirement anymore, but I still do it
> because it's a good idea. I'd think if the router is doing forwarding
> and ACL processing in software, tuning your ACLs is still a very good
> idea.
even if you forwarding/acl is done in hardware (6500/7600), there are
optimizations to be made. example: although logic would dictate otherwise,
using several 'eq' statements, even when a range can be used (for a
sufficiently small range), can reduce LOU usage.
see: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43669
short answer to acl tuning: it's platform dependent.
i've also discovered some nasty (but very cost-saving) tricks that can
combine seemingly unrelated lines by using discontiguous networks/masks.
you really either need to generate them from a readable source, be the
only one who is reading/writing the resulting acls, or use comments
and/or remarks to explain the math.
--
- bill fumerola / billf at FreeBSD.org
More information about the cisco-nsp
mailing list