Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Order of rules

Hello,

I have a question regarding the order of the rules in a firewall.

The question is whether the order of the rules affects the firewall performance.

All I could find in the community were old discussions, which claimed that placing the most used rules first will improve performance, since the firewall tries to match the rules sequentially.

Cisco also had a product called ACL manager that used to do that, but discontinued the project.

So the question is, are these assumptions still true? I'd expect the newer firewall to be able to compile the rules into a more effective data structure, which would reduce if not completely cancel the effects that rule ordering has on performance. Specifically I would like to know about ASA, PIX and FWSM firewalls.

Can anyone tell if this is the case or not?

1 REPLY

Order of rules

Hi,

The impact should be there if you have huge ACL in place but considering todays modern hardware impact should be very negligible.Very huge improper ACL may cause high cpu/memory utalization.

Thanks

Ajay

208
Views
0
Helpful
1
Replies
CreatePlease to create content