2800 ACL Config to help reduce High CPU

Unanswered Question
Jan 23rd, 2008
User Badges:

I'm trying to Optimze the ACLs on a 2800, as the ACLs (which there are many and Large) to help reduce CPU (60%).

Which is better for the CPU on the config of the ACL


permit tcp host A.B.C.D host A.B.C.D eq 1000 1501 2000 2500 4000 8001

or

permit tcp host A.B.C.D host A.B.C.D eq 1000

permit tcp host A.B.C.D host A.B.C.D eq 1500

etc


Is it the number of lines and/or number of ports



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
leon harvey Fri, 01/25/2008 - 05:56
User Badges:

1 line with many ports or many lines with 1 port equates to the same.

Remember CLI can look tidy to us but behind the scenes the router still has to do the same lookup on a packet for that port.. so the ACL method does not really matter.

On PIX/ASA you can do turboACL which compiles the ACL in binary to speed lookups up (meant for huge ACLs though (thousands of lines).

Even object groups on PIX/ASA are just to make life easy on CLI, still a lookup on each port.

So in summary, nothing you can do.. If the ACL's keep growing and as CPU average gets higher maybe we need to look at getting proper firewalls (ASA) in to do the firewall function.

Router IOS firewall throughput is lower than a proper firewall.

Actions

This Discussion