Access List size?

PETER KNOWLES · ‎10-17-2006

Are there guidelines/recommendations for the maximum number of items in an access control list in a given family of routers?

Looking for input on various groups (1600-1800; 2500-2600; 3600-3700), if available, so we can do some custom ACLs and make sure the ACL doesn't over-burden the CPU.

Thanks in advance.

balajitvk · ‎10-17-2006

Hi,

There is no as such limit for ACLs.... It is all depends on you environment and you have to check with your traffic and have to check how many of them has hits and drops (matches) in ACLs....

As you told ACL is cpu intensive just becz all the traffic on the applied interface and in applied direction is going to check with ACLs....

Rate if it does,

Rgs,

PETER KNOWLES · ‎10-19-2006

I concur there is no practical size and that environment can vary widely from install to install. We are trying to determine if an application we are generating, feeding an ACL with dynamic information, will be impractical for a given series of router.

My question relates to the following scenario:

Large ACL in place (example 500 lines). Would this be impractical for the CPU of a smaller-family router (800 series, 1600/1700 series) to handle?

Second example, 1500 lines would this be impractial for the CPU of a 2x00 series? 3x00 series?

Thank you.

randreetta · ‎07-01-2021

Great questions that apparently remain with no answer after 14 years

Joseph W. Doherty · ‎07-01-2021

This is a "it depends" answer, and not just on the performance of the router or switch.

For example, if the had an ACL with 500 ACEs, probably a big performance difference if 99.9% of the processing stopped with the first ACE vs. falling all the way through the ACL.

Some IOSs had implemented a feature called TurboACL (or compiled ACLs), which (from some literature) found an ACE in a "flat" time equivalent of processing 5 ACEs regardless of ACL size.

Some router IOSs, I suspect, might "optimize" the ACEs into a reduced number, physically, to improve ACL processing.

I.e.

if your ACEs were something like:

access-list 1 permit host 10.0.0.0
access-list 1 permit host 10.0.0.1
access-list 1 permit host 10.0.0.2
access-list 1 permit host 10.0.0.3
access-list 1 permit host 10.0.0.4
access-list 1 permit host 10.0.0.5
access-list 1 permit host 10.0.0.6
access-list 1 permit host 10.0.0.7

possibly what's actually matched against might be:

access-list 1 permit standard 10.0.0.0 0.0.0.7

or perhaps having

access-list 1 permit host 10.0.0.0
access-list 1 permit host 10.0.0.1
access-list 1 permit host 10.0.0.2
access-list 1 permit host 10.0.0.3
access-list 1 permit host 10.0.0.4
access-list 1 permit host 10.0.0.5
access-list 1 permit host 10.0.0.6
access-list 1 permit host 10.0.0.7

might match against

access-list 1 deny host 10.0.0.6
access-list 1 permit standard 10.0.0.0 0.0.0.7

Switches, I believe, do something like the forgoing when placing ACLs into TCAM. Processing time should be the same, regardless of the ACL length but different switches have different TCAM resources. Too large/many ACLs can overflow such resources, and you would then have a major performance problem.

As, again, this is a "it depends" answer, it's very difficult to predict just how any particular router or switch will deal with an ACL without knowing much more. About the only thing you might infer, a "faster/better" device will likely have more capacity dealing with a large ACL.

paul driver · ‎07-01-2021

Hello

A feature called turbo acls allows you to control the amount of memory/cpu resource an access-list can be allocated especially when you envisage a acl with very large amount of ace entries however usually they are designed for higher end platforms

Example:
sh access-lists

Standard IP access list 1
10 permit any

Extended IP access list stan
10 permit tcp host 1.1.1.1 any

Extended IP access list test
10 permit ip host 1.1.1.1 host 2.2.2.2
20 permit ip host 1.1.1.2 host 2.2.2.1
30 permit ip host 1.1.1.3 host 2.2.2.3
40 permit ip host 1.1.1.5 host 2.2.2.4
50 permit ip host 1.1.1.6 host 2.2.2.6

Show access-lists compiled
Compiled ACLs unavailable

conf t
access-list compiled
access-list compiled ipv4 limit memory
access-list compiled ipv4 reuse

sh access-lists compiled
Compiled ACL statistics:
ACL State Entries Config Fragment Redundant
1 Operational 1 1 0 0
stan Operational 1 1 0 0
test Operational 5 5 0 0
4 ACLs, 3 active, 2 builds, 7 entries, 64 ms last compile
0 history updates, 2000 history entries
0 mem limits, 128 Mb limit, 1 Mb max memory
0 compile failures, 0 priming failures
Overflows: L1 0, L2 0, L3 0
Table expands:[9]=0 [10]=0 [11]=0 [12]=0 [13]=0 [14]=0 [15]=0
L0: 1803Kb 3/4 3/4 7/8 3/4 7/8 2/3 2/3 2/3
L1: 4Kb 2/16 2/32 2/24 2/9
L2: 2Kb 2/150 2/150
L3: 2Kb 2/300
Ex: 6Kb
Tl: 1819Kb 43 equivs (14 dynamic)

Memory chunk statistics: (number passed/number failed)
6/0 chunk creates, 3/n/a chunk destroys
0/0* interrupt level, 12/0 process level allocations
* failures at interrupt level do not indicate a memory shortage
0/0 replenishes, 150/0 elements replenished *
* including element allocation at chunk creation time
0 online, 0 offline replenish suspends

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul