After Access list applied, its slower getting to that particular host?

Answered Question
Nov 26th, 2009
User Badges:

Hey guys!


I have two seperate vlans(16 and 22).


I only wanted two hosts from vlan 16 to be able to get to 22 and deny everyone else to vlan 22.


I applied an access list to make that happen.


The problem(may or may not be a problem), is that now when i go to the host, its about 5 seconds slower than it was when the vlan was wide open access.


Is this normal after an access list?

Correct Answer by Edison Ortiz about 7 years 4 months ago

As Glen indicated, the ACL will not create latency on the data path.

You mentioned that you are trying to access the host from another Vlan.

This type of access is Windows peer-to-peer networking? If so, you may

be blocking other type of traffic that is needed for Windows networking.


Do you experience latency while pinging or using any other protocol such

as ftp, http?


Regards


Edison

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
glen.grant Thu, 11/26/2009 - 06:57
User Badges:
  • Purple, 4500 points or more

  An ACL should make little  difference in response times  unless it has like  100 or more  entries in it , even then it shouldn't take 5 seconds . If you have a large number of other ACL's on the box its possible  you could be looking at resource issues (tcam)  other than that it should not affect things the way you are indicating. I would look at the rest of the path between the 2 subnets and or the server you are going to .

Correct Answer
Edison Ortiz Thu, 11/26/2009 - 08:15
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

As Glen indicated, the ACL will not create latency on the data path.

You mentioned that you are trying to access the host from another Vlan.

This type of access is Windows peer-to-peer networking? If so, you may

be blocking other type of traffic that is needed for Windows networking.


Do you experience latency while pinging or using any other protocol such

as ftp, http?


Regards


Edison

cisco_himg Thu, 11/26/2009 - 08:19
User Badges:

Thanks guys!


What i noticed is that i was using DAMEWARE to remote into the other pc from my vlan. It was slow on dameware, but it was super fast on VNC viewer. So i guess everything is okay, i just wonder why on dameware that it runs slower c onnecting rather than vnc viewer...

Edison Ortiz Thu, 11/26/2009 - 08:24
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Maybe DAMEWARE utilizes a different type of protocol where the receiving host must respond and you are blocking that port in return.

When implementing ACLs, you must take into account two-way data flow.

You can allow/block traffic into your Vlan, but you must also take into account the return traffic.


Thanks for the rating.


Regards


Edison

Actions

This Discussion