Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IP access-list - performance influence on switch

Hello all,

i want to ask, if you have any experiences with IP access list on L2 switch interfaces.

Does access-list any performance influence on switch when it is applied on interface?

I have L2 2960G switch.

Thanks for your info.

Tomas

9 REPLIES
Silver

Re: IP access-list - performance influence on switch

Hi,

I'm afraidyou can't use IP (L3, L4) access-list on a L2 device like 2960G. You need multilayer switch. Anyway the multilayer switches are equipped with ASIC and the cef, access-lists, qos, features are applied in hardware so there is no performance degradation and you can reach the wire speed.

Hope it helps, rate if does

Krisztian

Community Member

Re: IP access-list - performance influence on switch

Hi Kerek,

you aren't right. There is possibility to use IP access-list on inbound direction of L2 switches ports.

Tomas

Silver

Re: IP access-list - performance influence on switch

Hi,

Probably yes, but I guess enhanced image required.

Krisztian

Community Member

Re: IP access-list - performance influence on switch

Nope -- most Catalyst switches will support a L3 ACL even if the switch is running SMI/IPbase and running at layer 2. It surprised me, too, when I first found it out. I also thought you had to run at Layer 3 in order to have the switch read the IP headers.

However, you are exactly correct that the ACLs are implemented on ASICs, and therefore have very little impact on switch performance.

V/R,

Ian

Silver

Re: IP access-list - performance influence on switch

Hi,

Will it support or currently supporting?

I have just tried out with our 2950 SMI and although I was able to set up the acl I was unable to assign it to the interface. I read that some qos matching can be done on L2 switches based on L3 header information but it is quite new for me that you can do filtering based on that. Can you provide a link where it is published? I still have some doubts.

Thanks a lot.

Krisztian

p.s:

That's why I love this place. You feel that you have some cliue about the generic things and see...

Silver

Re: IP access-list - performance influence on switch

Hi,

OK. I found it by myself. Yes the inbound filtering is possible on 2960 with ipv4 acl, but it is not true for all L2 devices (for instance 2950 SI).

Krisztian

Community Member

Re: IP access-list - performance influence on switch

Hi all,

i try to apply ACL in real traffic .. and I'll see if it will have any serious impact.

But I hope that it is done by hardware.

Thank to all.

Tomas

Cisco Employee

Re: IP access-list - performance influence on switch

L2-4 ACLs are supported on the 2960 LAN Base switches and the 2950 Enhanced Image switches. For the 2960 switches the lookups are done in hardware with no performance impact. The 2960 LAN Lite switches and 2950 Standard Image switches do not support ACLs.

Community Member

Re: IP access-list - performance influence on switch

Thanks for ensuring me Felixdav.

Tomas

230
Views
10
Helpful
9
Replies
CreatePlease to create content