Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
1
Replies

Cat 6500 w FWSM - ACL Ordering and Optimization

packetzen
Level 1
Level 1

‎10-20-2010 01:41 PM - edited ‎03-06-2019 01:38 PM

Like a lot of companies I have seen, we have an Internet facing

6513 with close to a 1000 ios acl entries.  Trying to get a handle on this is very difficult.

But regardless of the current state, I would like to get some ideas on Best Practices for ACL ordering.

all specific source allows at the top

next, allowable subnets

What if you want to optimize performance put your most frequently hit ip's at the top.

In our environment we have a large number of small/medium netblocks.  Sould you break it out into netblock 'ranges' in the ACL.  for example each netblock would have a portion of the acl.  allows at the top of the block and specific denies at the end.

I have not been able to find very much information on the topic.  Particularly when using 6500 and fwsm.

Thanks!

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎10-20-2010 03:00 PM 

packetzen wrote:
Like a lot of companies I have seen, we have an Internet facing
6513 with close to a 1000 ios acl entries.  Trying to get a handle on this is very difficult.
But regardless of the current state, I would like to get some ideas on Best Practices for ACL ordering.
all specific source allows at the top
next, allowable subnets
What if you want to optimize performance put your most frequently hit ip's at the top. 
In our environment we have a large number of small/medium netblocks.  Sould you break it out into netblock 'ranges' in the ACL.  for example each netblock would have a portion of the acl.  allows at the top of the block and specific denies at the end.
I have not been able to find very much information on the topic.  Particularly when using 6500 and fwsm.
Thanks!

Do you mean the acl entries are on the FWSM ? - certainly hope so

ACLs on the FWSM are handled as all acls are ie. they are checked from top to bottom until a match is found so you should definitely have the more frequently hit entries at the top of your acl.

Not sure what you mean about netblocks, do you mean summary addresses ?  If you can use as larger a summary address as possible in each entry, that way you only get one ace to check against but more importantly it keeps the acl as short as possible.

Using object-groups can also help with ordering of your acl in terms of readability but not with performance because the FWSM will expand the entry internally.

If you need to allow certain access to a netblock and then deny the rest then obviously do so but bear in mind that specific denies are only needed in certain situations and that generally if you don't allow it then it will be blocked by the implicit deny at the end. You could actually put a deny after the permits to the netblock which come to think of it is probably what you are asking ? This is a tradeoff because yes you would stop processing of the acl for that netblock but then you have just added another entry to your acl and if the netblock you are interested in is further down the acl then it has to process more entries.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card