[Dshield] ACL impact on router performance

Barry Greene (bgreene) bgreene at cisco.com
Fri Feb 20 18:39:06 GMT 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is _wrong_ information. I work on all our ACL development teams - which means I get to know the code inside and out - and none of our ACL technologies work the way you described.


> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Al Reust
> Sent: Thursday, February 19, 2004 10:29 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] ACL impact on router performance
> 
> 
> Hi Jon
> 
> Several months ago I had the chance to asks the same question of the 
> "Network Engineer." Depending on the size of your shop many 
> people share 
> many hats. While I do not prefer to deal with "router" issues 
> and only the 
> "server/workstation" side have some knowledge. My basic 
> question is why can 
> we "not" block the entire Class B address space? Just say 
> China, Taiwan 
> etc.. This was in the series of Cisco 25xx routers.. The 
> ACL's for the 
> Class B, were entered and the network slowed to a crawl..
> 
> What it amounted to was the with the Processor, the RAM and 
> the IOS and how 
> all interact. I could enter a single IP to block (ACL).. and it would 
> happen right now.. If I enter a Class B and what has to 
> happen in RAM the 
> Processor and IOS. It had to expand the 65+ thousand 
> addresses and check 
> each one for and exact match before the next ACL entry. So If I have 
> multiple class B's then what happens.. Most 25xx Cisco's have i386 
> processors and small RAM, and poor address expansion/handling 
> (IOS).. 3xxx 
> are not much better. 7xxx's depending on age have other issues.
> 
> So yes as I have not been chasing what is happening in the 
> router world.. 
> It could be your router responding normally or complaining about the 
> "specific" entry..
> 
> 
> At 02:25 PM 2/19/2004 -0500, you wrote:
> >Hello all:
> >
> >Does anyone have any hard stats on the impact of ACLs on router 
> >performance?
> >
> >I have heard many people (usually those who vigorously oppose 
> >router-based
> >filtering) claim that just enabling ACLs causes a 15% 
> performance hit, and 
> >that each ACL causes about a 0.5% additional degradation. 
> This seems to be 
> >the standard mantra among those that dislike ACLs, or any other 
> >network-based filtering.
> >
> >We run several Cisco routers with about 200 ACLs on each inbound 
> >interface
> >and about 30 ACLs on each
> >outbound interface and do not see any noticeable performance 
> degradation. 
> >However, our networks are FAR from saturated.
> >
> >A recent discussion on insecure.org seemed to say that if you had 
> >enough
> >RAM in your router, the impact of ACLs seems to be minimal. 
> Google doesn't 
> >seem to find any vendor published documents that provide 
> stats. (Except 
> >one optical router that claimed it was independently tested 
> with 10K ACLs 
> >and still able to run at maximum line speed.)
> >
> >Does anyone have any good information on this subject?
> >
> >TIA!
> >Jon
> >--
> >Jon R. Kibler
> >Chief Technical Officer
> >A.S.E.T., Inc.
> >Charleston, SC  USA
> >(843) 849-8214
> >
> >
> >
> >
> >==================================================
> >Filtered by: TRUSTEM.COM's Email Filtering Service 
> >http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQDZOXL/UEA/xivvmEQJEnACeNrdrcWofkppY7uacDV+f8xdixkwAn2jp
pYfW7euX49K7Pohrel4sBWd9
=fCI3
-----END PGP SIGNATURE-----




More information about the list mailing list