[Dshield] ACL impact on router performance

Al Reust areust at comcast.net
Fri Feb 20 06:28:33 GMT 2004

Hi Jon

Several months ago I had the chance to asks the same question of the 
"Network Engineer." Depending on the size of your shop many people share 
many hats. While I do not prefer to deal with "router" issues and only the 
"server/workstation" side have some knowledge. My basic question is why can 
we "not" block the entire Class B address space? Just say China, Taiwan 
etc.. This was in the series of Cisco 25xx routers.. The ACL's for the 
Class B, were entered and the network slowed to a crawl..

What it amounted to was the with the Processor, the RAM and the IOS and how 
all interact. I could enter a single IP to block (ACL).. and it would 
happen right now.. If I enter a Class B and what has to happen in RAM the 
Processor and IOS. It had to expand the 65+ thousand addresses and check 
each one for and exact match before the next ACL entry. So If I have 
multiple class B's then what happens.. Most 25xx Cisco's have i386 
processors and small RAM, and poor address expansion/handling (IOS).. 3xxx 
are not much better. 7xxx's depending on age have other issues.

So yes as I have not been chasing what is happening in the router world.. 
It could be your router responding normally or complaining about the 
"specific" entry..

At 02:25 PM 2/19/2004 -0500, you wrote:
>Hello all:
>Does anyone have any hard stats on the impact of ACLs on router performance?
>I have heard many people (usually those who vigorously oppose router-based 
>filtering) claim that just enabling ACLs causes a 15% performance hit, and 
>that each ACL causes about a 0.5% additional degradation. This seems to be 
>the standard mantra among those that dislike ACLs, or any other 
>network-based filtering.
>We run several Cisco routers with about 200 ACLs on each inbound interface 
>and about 30 ACLs on each
>outbound interface and do not see any noticeable performance degradation. 
>However, our networks are FAR from saturated.
>A recent discussion on insecure.org seemed to say that if you had enough 
>RAM in your router, the impact of ACLs seems to be minimal. Google doesn't 
>seem to find any vendor published documents that provide stats. (Except 
>one optical router that claimed it was independently tested with 10K ACLs 
>and still able to run at maximum line speed.)
>Does anyone have any good information on this subject?
>Jon R. Kibler
>Chief Technical Officer
>A.S.E.T., Inc.
>Charleston, SC  USA
>(843) 849-8214
>Filtered by: TRUSTEM.COM's Email Filtering Service
>No Spam. No Viruses. Just Good Clean Email.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list