[c-nsp] ACL performance question

tim at pelican.org tim at pelican.org
Mon Aug 22 07:07:35 EDT 2016


Hi Satish,

On Saturday, 20 August, 2016 21:23, "Satish Patel" <satish.txt at gmail.com> said:

> We have ASR1006 Router and we are running ACL on it to allow specific
> port to specific server.
> 
> Question is there any ACL performance impact on individual IP vs full
> subnet. like following example.
> 
> we have 202.100.100.0/24 subnet now i want to use first 200 IPs for
> web server port 80 remaining 55 (whatever) mail service port 25.

Taking a step backwards, does it *have* to be 200 and 55?  Or can you split on bit boundaries and get much simpler ACLs?  For example, if you can live with 191 web servers and 63 mail servers...

> Now how do i tell ACL to isolate them or subnet them? Other option i
> have i create individual ACL for each IP like following but question
> is does it impact on router performance?
> 
> access-list 102 permit tcp any host 202.100.100.1 eq www
> access-list 102 permit tcp any host 202.100.100.2 eq www
> access-list 102 permit tcp any host 202.100.100.3 eq www
> access-list 102 permit tcp any host 202.100.100.4 eq www
> ...
> ...
> access-list 102 permit tcp any host 202.100.100.201 eq smtp
> access-list 102 permit tcp any host 202.100.100.202 eq smtp

Becomes:

access-list 102 permit tcp any 202.100.100.0 0.0.0.127 eq www
access-list 102 permit tcp any 202.100.100.128 0.0.0.63 eq www
access-list 102 permit tcp any 202.100.100.192 0.0.0.63 eq smtp

Ignoring any performance or TCAM issues, that looks like something that's going to make your operations folk less crazy trying to work with the configs.

Regards,
Tim.




More information about the cisco-nsp mailing list