Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Perfomance !

Dear All,

In the process of securing Cisco 3640 router, i had decided to implement certain ACLs. I would be starting with Anti spoofing ACLs then implementing ACls to plug different vulnerabilities applicable and in the last ACLs for different virus/DOS attacks.

What i'm worried about is the performance penalty. Can i get any help in what should be the best practice before i go ahead with this so that i could maintain a balance between performance and security.

Also i would appreciate if i could get any documentation on all this.

New Member

Re: ACL Perfomance !

Hi ,

As you said, you will probably have an access list with all the deny statements then the permit ip any any at the end of the list. I don't think you have to worry about router performance issue. As the matter of fact, when you are under attack, router will drop the packets even before it processes the packet which may save your cpu ulti ( apply for inbound direction).

But if you are talking about IOS firewall, that's another story.


New Member

Re: ACL Perfomance !


Thanks for your reply.

Its just IOS with no firewall etc. My basic aim is is to just allow incoming SMTP and other HTTP/S based established connections. Rest all incoming needs to be denied.

I would be needing comments on this ACL.

1.<-------Antispoofing denials place here--------->

2.permit tcp any internal_network_IP mask established

3.Permit tcp any my_mail_server eq SMTP

And my last ACL would be

4.Deny IP any any.

I thing with this i can have a smaller ACL and hence better performance.

This would just allow the incoming SMTP traffic as my mail server is in my private LAN and its statically Nated.Also only established connections would be allowed.And rest all would be denied. Hence i don't have to plug in different entries for DOS/Virus attacks.


New Member

Re: ACL Perfomance !

I would advise that you read the NSA/SNAC Router Security Configuration Guide. You can get it at the below url. Good place to start. Just plan accordingly and apply ACL's accordingly, and you won't have a great impact on performance.

CreatePlease login to create content