Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASR 1002- performance issue due to access list

Hi,

We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.

I want to know, would there be any performance or latency issues after applying 16k lines of acl?

Is there a good document where I can read more about ACL limitations and performance issues on ASR.

This is for ASR1002, running IOS-XE 15.3(1)S1.

 

Thanks

 

2 REPLIES
Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation.  See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo

New Member

Hi,I don't know if a 16K acl

Hi,

I don't know if a 16K acl is supported on ASR1002 platform, but since you mention that you want to filter whole subnets, I would suggest to blackhole them, by routing them to null on your ASR. 16K routes to null are not that much and are definitely supported without impact.

 

Sp

157
Views
0
Helpful
2
Replies