Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Denying External Hosts by Country in IOS


I have a large access list of host networks that I wish to deny on a Cisco 1941 ISR. The list is about 9000 lines of subnets, but I'm sensing that an access-list this large would make the router grind to a halt.

This deployment uses the zone firewall - am I correct in thinking that this large deny list would impact the router's performance, substantially?

I'm curious to hear what others are doing to deny large lists of subnets on the ISR platform. The alternative that comes to mind would be to place a transparent firewall (NetBSD or pfSense) in front of the 1941, since pf tables can do this type of filtering quite efficiently.

Any input is appreciated

Everyone's tags (1)

Re: Denying External Hosts by Country in IOS

Yes a 9000 line acl is going to have an impact.

Are you sure you can't supernet some of these and reduce the count?

Sent from Cisco Technical Support iPad App

CreatePlease to create content