IP access-list - performance influence on switch

Unanswered Question
Sep 27th, 2007

Hello all,

i want to ask, if you have any experiences with IP access list on L2 switch interfaces.

Does access-list any performance influence on switch when it is applied on interface?

I have L2 2960G switch.

Thanks for your info.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)


I'm afraidyou can't use IP (L3, L4) access-list on a L2 device like 2960G. You need multilayer switch. Anyway the multilayer switches are equipped with ASIC and the cef, access-lists, qos, features are applied in hardware so there is no performance degradation and you can reach the wire speed.

Hope it helps, rate if does


tomas.backo Fri, 09/28/2007 - 04:10

Hi Kerek,

you aren't right. There is possibility to use IP access-list on inbound direction of L2 switches ports.


IanTarasevitsch1995 Fri, 09/28/2007 - 04:18

Nope -- most Catalyst switches will support a L3 ACL even if the switch is running SMI/IPbase and running at layer 2. It surprised me, too, when I first found it out. I also thought you had to run at Layer 3 in order to have the switch read the IP headers.

However, you are exactly correct that the ACLs are implemented on ASICs, and therefore have very little impact on switch performance.




Will it support or currently supporting?

I have just tried out with our 2950 SMI and although I was able to set up the acl I was unable to assign it to the interface. I read that some qos matching can be done on L2 switches based on L3 header information but it is quite new for me that you can do filtering based on that. Can you provide a link where it is published? I still have some doubts.

Thanks a lot.



That's why I love this place. You feel that you have some cliue about the generic things and see...

tomas.backo Fri, 09/28/2007 - 07:03

Hi all,

i try to apply ACL in real traffic .. and I'll see if it will have any serious impact.

But I hope that it is done by hardware.

Thank to all.


felixdav Sat, 09/29/2007 - 15:43

L2-4 ACLs are supported on the 2960 LAN Base switches and the 2950 Enhanced Image switches. For the 2960 switches the lookups are done in hardware with no performance impact. The 2960 LAN Lite switches and 2950 Standard Image switches do not support ACLs.


This Discussion