I have done some experiments with the router's ACL's
I applied several different types (sic!) of ACLs with the number of
lines from 20 to 500.
Then I was banging it (the router) with different packets generated by
SmartBits.
I have tested 2 mid-size routers on 10 MBps and 100 MBps interfaces.
The result was quit strange:
On the ACLs based on "permit all" statement at the end:
Almost independent of the length of the ACLs I have seen the routers
starting packet drop at 20% of the interface speed (18 - 22 %) depending
on the length) Keep in mind that the traffic was the same all the time,
close to the real thing.
On the ACLs based on "deny all" statement at the end:
- much more dependant on the length of ACL and positioning of certain
statements within the ACL.
The packet drop started @ 40-50% of the line speed
Mark G
PS I'll be out to sea for a week
-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Marcus
J. Ranum
Sent: Saturday, January 03, 2004 5:42 PM
To: Bill James; 'David Pick'
Cc: firewall-wizards_at_honor.icsalabs.com
Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
Bill James wrote:
>The problem with using ACL's is the load they can add to a router. Most
>of Cisco's newer IOS' have IP Inspection and do OK but can add a
>tremendous load on the router.
I've never found any good studies of ACL performance. Do you have any
references you can point us to?
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 06 2004
Intro
