Re: ACL and performance

tevfik · ‎08-11-2006

Hi,

I have CSS 11503 without SSL module (CSS11503-AC J0)

I have to know something:

Customer needs to prevent servers behind LB (means service). In able to do this they want to limit connection to VIP.

As summary they want that only some IP:Port pair can reach to VIP.

To do this I think I have to use ACL and 1 ACL has 20-25 clauses. And maybe I have to add some new ACL.

So the question is:

This ACL how affect the performance of CSS ?

How many degrees degrade performance percentage briefly?

Gilles Dufour · ‎08-11-2006

ACL with only permit|deny clauses are all performed in hardware and therefore the impact on the performance is null or almost null.

If you have ACL to allow some source nating or select of a prefered gateway or service, these are done in software and will have an impact that I can't unfortunately quantified since this is really dependent on the config and traffic.

Gilles.

tevfik · ‎08-11-2006

Thnx for reply,

If it is impoertant, I have to say that I use GROUP configuration. Such as:

GROUP X

add destination service a

add destination service b

..

vip address 10.X.X.X

active

Does ACL still performes in hardware with this configuration?

Gilles Dufour · ‎08-11-2006

yes,

it would not if you use a clause like

clause 10 permit tcp any destination any sourcegroup .....

You can use group inside acl and this is what would impact performance.

But the impact would not be more than 10%.

It could still be null depending on your config.

Gilles.