[Dshield] ACL impact on router performance

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 20 15:17:08 GMT 2004


Al Reust wrote:
> 
> Hi Jon
> 
> Several months ago I had the chance to asks the same question of the
> "Network Engineer." Depending on the size of your shop many people share
> many hats. While I do not prefer to deal with "router" issues and only the
> "server/workstation" side have some knowledge. My basic question is why can
> we "not" block the entire Class B address space? Just say China, Taiwan
> etc.. This was in the series of Cisco 25xx routers.. The ACL's for the
> Class B, were entered and the network slowed to a crawl..
> 
> What it amounted to was the with the Processor, the RAM and the IOS and how
> all interact. I could enter a single IP to block (ACL).. and it would
> happen right now.. If I enter a Class B and what has to happen in RAM the
> Processor and IOS. It had to expand the 65+ thousand addresses and check
> each one for and exact match before the next ACL entry. So If I have
> multiple class B's then what happens.. Most 25xx Cisco's have i386
> processors and small RAM, and poor address expansion/handling (IOS).. 3xxx
> are not much better. 7xxx's depending on age have other issues.
> 

Al,

Based on your description, it does not sound like the ACLs were entered correctly.
One ACL can block an entire B class. For example:

   access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

defined on a Cisco router's inbound interface (and only there!) would block all
192.168.x.x source addresses. The host mask (0.0.255.255) indicates the bits the
router is to ignore. To test this ACL would require only 2 logical instructions
to accomplish:
   clear bits in source address set in host mask giving test address
   if test address equals ACL address, drop packet

It does not have to expand and test 64K addresses! If the Cisco routers are
x86 based (and I correctly remember my x86 assembler from 20yrs ago!), then
this test could be accomplished in 3 or 4 assembly language instructions.

Please explain your basis for say that the router had to check 64K addresses. I
do not understand that statement.

Thanks!

Jon K.
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list