[c-nsp] ACL performance question
Randy
randy_94108 at yahoo.com
Sat Aug 20 17:38:49 EDT 2016
----- Original Message -----
From: Satish Patel <satish.txt at gmail.com>
To: Cisco Network Service Providers <cisco-nsp at puck.nether.net>
Sent: Saturday, August 20, 2016 1:23 PM
Subject: [c-nsp] ACL performance question
We have ASR1006 Router and we are running ACL on it to allow specific
port to specific server.
Question is there any ACL performance impact on individual IP vs full
subnet. like following example.
we have 202.100.100.0/24 subnet now i want to use first 200 IPs for
web server port 80 remaining 55 (whatever) mail service port 25.
Now how do i tell ACL to isolate them or subnet them? Other option i
have i create individual ACL for each IP like following but question
is does it impact on router performance?
access-list 102 permit tcp any host 202.100.100.1 eq www
access-list 102 permit tcp any host 202.100.100.2 eq www
access-list 102 permit tcp any host 202.100.100.3 eq www
access-list 102 permit tcp any host 202.100.100.4 eq www
...
...
access-list 102 permit tcp any host 202.100.100.201 eq smtp
access-list 102 permit tcp any host 202.100.100.202 eq smtp
what would be the best approach here?
----------------------------------------------------------------------------------------------------
You ask *interesting-generic* questions. Answers will vary.
Generally speaking:
a) if acl in question gets implemented in hardware, you will run out of LOU's before TCAM exhaustion.
b) in software: How many such entries will you have: 4 - your are ok. 1000 - not so much. ACE's are processed sequentially.
How about you do a little bit of legwork yourself?
./Randy
_______________________________________________cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list