[Dshield] ACL impact on router performance

Jon R. Kibler Jon.Kibler at aset.com
Thu Feb 19 19:25:09 GMT 2004

Hello all:

Does anyone have any hard stats on the impact of ACLs on router performance?

I have heard many people (usually those who vigorously oppose router-based filtering) claim that just enabling ACLs causes a 15% performance hit, and that each ACL causes about a 0.5% additional degradation. This seems to be the standard mantra among those that dislike ACLs, or any other network-based filtering.

We run several Cisco routers with about 200 ACLs on each inbound interface and about 30 ACLs on each
outbound interface and do not see any noticeable performance degradation. However, our networks are FAR from saturated.

A recent discussion on insecure.org seemed to say that if you had enough RAM in your router, the impact of ACLs seems to be minimal. Google doesn't seem to find any vendor published documents that provide stats. (Except one optical router that claimed it was independently tested with 10K ACLs and still able to run at maximum line speed.)

Does anyone have any good information on this subject?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

