[Dshield] ACL impact on router performance
jlauro at umflint.edu
Thu Feb 19 22:00:13 GMT 2004
It really depends on the router. Some routers handle the acls all in
hardware and some all in software, some a combination (ie, first
packet in software the rest in hardware), etc... Without being given
a specific model number for the router, it could be a 15% hit, or it
could be no impact, etc...
> -----Original Message-----
> From: list-bounces at dshield.org
> [mailto:list-bounces at dshield.org] On Behalf Of Jon R. Kibler
> Sent: Thursday, February 19, 2004 2:25 PM
> To: list at dshield.org
> Subject: [Dshield] ACL impact on router performance
> Hello all:
> Does anyone have any hard stats on the impact of ACLs on
> router performance?
> I have heard many people (usually those who vigorously oppose
> router-based filtering) claim that just enabling ACLs causes
> a 15% performance hit, and that each ACL causes about a 0.5%
> additional degradation. This seems to be the standard mantra
> among those that dislike ACLs, or any other network-based filtering.
> We run several Cisco routers with about 200 ACLs on each
> inbound interface and about 30 ACLs on each outbound
> interface and do not see any noticeable performance
> degradation. However, our networks are FAR from saturated.
> A recent discussion on insecure.org seemed to say that if you
> had enough RAM in your router, the impact of ACLs seems to be
> minimal. Google doesn't seem to find any vendor published
> documents that provide stats. (Except one optical router that
> claimed it was independently tested with 10K ACLs and still
> able to run at maximum line speed.)
> Does anyone have any good information on this subject?
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC USA
> (843) 849-8214
> Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
More information about the list