- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: ACL - Let's put some numbers on... [7:41738] posted 04/22/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Some time ago I was messing about with a 3640 and IIRC I measured about
70k pps (unidirectional traffic) with no acls.  An acl where the traffic
was permitted on the first line dropped it to about 55k pps.  Pushing
the permit acl lines down the list dropped another approx 1%
throughput for each line processed.  The IOS was probably 11.2.

Ole Drews Jensen wrote:
> My first line of defence is a 3620, and I am using and ACL on the outside
> interface for incoming traffic, trying to stop some of 'bad' traffic before
> it continue to my firewall. I know how to design the access-list so the
> often received traffic is checked first, and so on, and I know that I
> keep it as simple as possible and not creating a huge access-list with
> of lines.
> However, it got me wondering. How much does it slow down the incoming
> traffic everytime I add a new line to my access-list. This is a very hard
> question to answer though, because if created well, most traffic should be
> filtered out before halfway through the access-list, and I guess it also
> depends on the speed of the processor.
> If we look at the 3620, it has an 80Mhz RISC processor, so if can someone
> give me a result here?
> If we have a full T1 fully loaded with incoming traffic. How long delay
> would there be per line-to-be-checked in an ingoing extended ACL?
> Thanks for your comments...
> Ole
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Ole Drews Jensen
>  Systems Network Manager
>  RWR Enterprises, Inc.
>  OJensen@xxxxxxx
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Need a Job?
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx