Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2800 ACL Config to help reduce High CPU

I'm trying to Optimze the ACLs on a 2800, as the ACLs (which there are many and Large) to help reduce CPU (60%).

Which is better for the CPU on the config of the ACL

permit tcp host A.B.C.D host A.B.C.D eq 1000 1501 2000 2500 4000 8001

or

permit tcp host A.B.C.D host A.B.C.D eq 1000

permit tcp host A.B.C.D host A.B.C.D eq 1500

etc

Is it the number of lines and/or number of ports

1 REPLY
New Member

Re: 2800 ACL Config to help reduce High CPU

1 line with many ports or many lines with 1 port equates to the same.

Remember CLI can look tidy to us but behind the scenes the router still has to do the same lookup on a packet for that port.. so the ACL method does not really matter.

On PIX/ASA you can do turboACL which compiles the ACL in binary to speed lookups up (meant for huge ACLs though (thousands of lines).

Even object groups on PIX/ASA are just to make life easy on CLI, still a lookup on each port.

So in summary, nothing you can do.. If the ACL's keep growing and as CPU average gets higher maybe we need to look at getting proper firewalls (ASA) in to do the firewall function.

Router IOS firewall throughput is lower than a proper firewall.

281
Views
0
Helpful
1
Replies