[c-nsp] ACL performance question

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Mon Aug 22 03:08:24 EDT 2016 

> Satish Patel
> Sent: Saturday, August 20, 2016 9:23 PM
>
> We have ASR1006 Router and we are running ACL on it to allow specific port
> to specific server.
>
> Question is there any ACL performance impact on individual IP vs full subnet.
> like following example.
>
> we have 202.100.100.0/24 subnet now i want to use first 200 IPs for web
> server port 80 remaining 55 (whatever) mail service port 25.
>
> Now how do i tell ACL to isolate them or subnet them? Other option i have i
> create individual ACL for each IP like following but question is does it impact
> on router performance?
>
> access-list 102 permit tcp any host 202.100.100.1 eq www access-list 102
> permit tcp any host 202.100.100.2 eq www access-list 102 permit tcp any host
> 202.100.100.3 eq www access-list 102 permit tcp any host 202.100.100.4 eq
> www ...
> ...
> access-list 102 permit tcp any host 202.100.100.201 eq smtp access-list 102
> permit tcp any host 202.100.100.202 eq smtp
>
> what would be the best approach here?
>
The number of lines(if length of tcam allows) or complexity of each line (if tcam width allows) should not matter in TCAM based platforms cause you should get your result in one oscillator tick, that means the performance should be constant with the growing number of lines and you should only experience a constant x% dip in performance due to additional access to external memory for each packet.



adam




        Adam Vitkovsky
        IP Engineer

T:      0333 006 5936
E:      Adam.Vitkovsky at gamma.co.uk
W:      www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
---------------------------------------------------------------------------------------
 This email has been scanned for email related threats and delivered safely by Mimecast.
 For more information please visit http://www.mimecast.com
---------------------------------------------------------------------------------------

More information about the cisco-nsp mailing list