[c-nsp] ACL performance question

Satish Patel satish.txt at gmail.com
Sat Aug 20 16:23:19 EDT 2016


We have ASR1006 Router and we are running ACL on it to allow specific
port to specific server.

Question is there any ACL performance impact on individual IP vs full
subnet. like following example.

we have 202.100.100.0/24 subnet now i want to use first 200 IPs for
web server port 80 remaining 55 (whatever) mail service port 25.

Now how do i tell ACL to isolate them or subnet them? Other option i
have i create individual ACL for each IP like following but question
is does it impact on router performance?

access-list 102 permit tcp any host 202.100.100.1 eq www
access-list 102 permit tcp any host 202.100.100.2 eq www
access-list 102 permit tcp any host 202.100.100.3 eq www
access-list 102 permit tcp any host 202.100.100.4 eq www
...
...
access-list 102 permit tcp any host 202.100.100.201 eq smtp
access-list 102 permit tcp any host 202.100.100.202 eq smtp

what would be the best approach here?


More information about the cisco-nsp mailing list