Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL and performance

Hi,

I have CSS 11503 without SSL module (CSS11503-AC J0)

I have to know something:

Customer needs to prevent servers behind LB (means service). In able to do this they want to limit connection to VIP.

As summary they want that only some IP:Port pair can reach to VIP.

To do this I think I have to use ACL and 1 ACL has 20-25 clauses. And maybe I have to add some new ACL.

So the question is:

This ACL how affect the performance of CSS ?

How many degrees degrade performance percentage briefly?

3 REPLIES
Cisco Employee

Re: ACL and performance

ACL with only permit|deny clauses are all performed in hardware and therefore the impact on the performance is null or almost null.

If you have ACL to allow some source nating or select of a prefered gateway or service, these are done in software and will have an impact that I can't unfortunately quantified since this is really dependent on the config and traffic.

Gilles.

New Member

Re: ACL and performance

Thnx for reply,

If it is impoertant, I have to say that I use GROUP configuration. Such as:

GROUP X

add destination service a

add destination service b

..

..

vip address 10.X.X.X

active

Does ACL still performes in hardware with this configuration?

Cisco Employee

Re: ACL and performance

yes,

it would not if you use a clause like

clause 10 permit tcp any destination any sourcegroup .....

You can use group inside acl and this is what would impact performance.

But the impact would not be more than 10%.

It could still be null depending on your config.

Gilles.

129
Views
0
Helpful
3
Replies