[Dshield] ACL impact on router performance

Al Reust areust at comcast.net
Sat Feb 21 01:36:11 GMT 2004


Okay I will bite

I presumed that his explanation of why it could "not" work with the 
existing "ancient" hardware was perfectly plausible. No, I did not see the 
existing ACL's or how badly misconfigured or poorly documented they may be.

You say you know different without even an ACL's 101 or a web link.

Thank You.

Al

At 10:39 AM 2/20/2004 -0800, you wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>This is _wrong_ information. I work on all our ACL development teams - 
>which means I get to know the code inside and out - and none of our ACL 
>technologies work the way you described.
>
>
> > -----Original Message-----
> > From: list-bounces at dshield.org
> > [mailto:list-bounces at dshield.org] On Behalf Of Al Reust
> > Sent: Thursday, February 19, 2004 10:29 PM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] ACL impact on router performance
> >
> >
> > Hi Jon
> >
> > Several months ago I had the chance to asks the same question of the
> > "Network Engineer." Depending on the size of your shop many
> > people share
> > many hats. While I do not prefer to deal with "router" issues
> > and only the
> > "server/workstation" side have some knowledge. My basic
> > question is why can
> > we "not" block the entire Class B address space? Just say
> > China, Taiwan
> > etc.. This was in the series of Cisco 25xx routers.. The
> > ACL's for the
> > Class B, were entered and the network slowed to a crawl..
> >
> > What it amounted to was the with the Processor, the RAM and
> > the IOS and how
> > all interact. I could enter a single IP to block (ACL).. and it would
> > happen right now.. If I enter a Class B and what has to
> > happen in RAM the
> > Processor and IOS. It had to expand the 65+ thousand
> > addresses and check
> > each one for and exact match before the next ACL entry. So If I have
> > multiple class B's then what happens.. Most 25xx Cisco's have i386
> > processors and small RAM, and poor address expansion/handling
> > (IOS).. 3xxx
> > are not much better. 7xxx's depending on age have other issues.
> >
> > So yes as I have not been chasing what is happening in the
> > router world..
> > It could be your router responding normally or complaining about the
> > "specific" entry..
> >
> >
> > At 02:25 PM 2/19/2004 -0500, you wrote:
> > >Hello all:
> > >
> > >Does anyone have any hard stats on the impact of ACLs on router
> > >performance?
> > >
> > >I have heard many people (usually those who vigorously oppose
> > >router-based
> > >filtering) claim that just enabling ACLs causes a 15%
> > performance hit, and
> > >that each ACL causes about a 0.5% additional degradation.
> > This seems to be
> > >the standard mantra among those that dislike ACLs, or any other
> > >network-based filtering.
> > >
> > >We run several Cisco routers with about 200 ACLs on each inbound
> > >interface
> > >and about 30 ACLs on each
> > >outbound interface and do not see any noticeable performance
> > degradation.
> > >However, our networks are FAR from saturated.
> > >
> > >A recent discussion on insecure.org seemed to say that if you had
> > >enough
> > >RAM in your router, the impact of ACLs seems to be minimal.
> > Google doesn't
> > >seem to find any vendor published documents that provide
> > stats. (Except
> > >one optical router that claimed it was independently tested
> > with 10K ACLs
> > >and still able to run at maximum line speed.)
> > >
> > >Does anyone have any good information on this subject?
> > >
> > >TIA!
> > >Jon
> > >--
> > >Jon R. Kibler
> > >Chief Technical Officer
> > >A.S.E.T., Inc.
> > >Charleston, SC  USA
> > >(843) 849-8214
> > >
> > >
> > >
> > >
> > >==================================================
> > >Filtered by: TRUSTEM.COM's Email Filtering Service
> > >http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
> > >
> > >_______________________________________________
> > >list mailing list
> > >list at dshield.org
> > >To change your subscription options (or unsubscribe), see:
> > >http://www.dshield.org/mailman/listinfo/list
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.0
>
>iQA/AwUBQDZOXL/UEA/xivvmEQJEnACeNrdrcWofkppY7uacDV+f8xdixkwAn2jp
>pYfW7euX49K7Pohrel4sBWd9
>=fCI3
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list