[c-nsp] ACL performance question

[Satish Patel]

@Tim,

You have perfect point here, that will definitely work. Thanks

On Mon, Aug 22, 2016 at 7:07 AM, tim at pelican.org <tim at pelican.org> wrote:
> Hi Satish,
>
> On Saturday, 20 August, 2016 21:23, "Satish Patel" <satish.txt at gmail.com> said:
>
>> We have ASR1006 Router and we are running ACL on it to allow specific
>> port to specific server.
>>
>> Question is there any ACL performance impact on individual IP vs full
>> subnet. like following example.
>>
>> we have 202.100.100.0/24 subnet now i want to use first 200 IPs for
>> web server port 80 remaining 55 (whatever) mail service port 25.
>
> Taking a step backwards, does it *have* to be 200 and 55?  Or can you split on bit boundaries and get much simpler ACLs?  For example, if you can live with 191 web servers and 63 mail servers...
>
>> Now how do i tell ACL to isolate them or subnet them? Other option i
>> have i create individual ACL for each IP like following but question
>> is does it impact on router performance?
>>
>> access-list 102 permit tcp any host 202.100.100.1 eq www
>> access-list 102 permit tcp any host 202.100.100.2 eq www
>> access-list 102 permit tcp any host 202.100.100.3 eq www
>> access-list 102 permit tcp any host 202.100.100.4 eq www
>> ...
>> ...
>> access-list 102 permit tcp any host 202.100.100.201 eq smtp
>> access-list 102 permit tcp any host 202.100.100.202 eq smtp
>
> Becomes:
>
> access-list 102 permit tcp any 202.100.100.0 0.0.0.127 eq www
> access-list 102 permit tcp any 202.100.100.128 0.0.0.63 eq www
> access-list 102 permit tcp any 202.100.100.192 0.0.0.63 eq smtp
>
> Ignoring any performance or TCAM issues, that looks like something that's going to make your operations folk less crazy trying to work with the configs.
>
> Regards,
> Tim.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/