https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135486#M338283 Generally, on the smaller routers, everything is done by the main CPU, without hardware support. (Larger, or more powerful, routers [e.g. 7300 vs. 7200], have some additional hardware to accelerate some functions - some of the largest "routers" are/were really L3 switches, with more functions [e.g. 7600 vs. 6500].)<BR /><BR />On those routers, doing everything in software, something like ACLs, might be done in some way to "optimize" how they are processed. Or, on some routers, starting with the 7200 series, they had an optional "compile" ACL function, which was supposed to greatly increase performance for long ACLs. (Much of such optimization is likely considered proprietary.) Thu, 13 Aug 2020 17:48:17 GMT Joseph W. Doherty 2020-08-13T17:48:17Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135408#M338275 <P>Hi, all. Just a quick basic question. I'm aware of how L3 switches handle standard and extended access lists, where the entries are used to populate the TCAM and multiple ACEs can be processed simultaneously. I'm not sure how routers carry out their processing of ACLs, or if they're handled in hardware as seen with a switch. Specifically 1941 and 4330 models, if there's any variation. I'm hoping someone can inform me or provide some documentation for me to educate myself.&nbsp;</P> Thu, 13 Aug 2020 16:07:20 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135408#M338275 WGL_BK 2020-08-13T16:07:20Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135481#M338282 <P>Hope below information help you :</P> <P>&nbsp;</P> <P><A href="http://etutorials.org/Networking/Router+firewall+security/Part+III+Nonstateful+Filtering+Technologies/Chapter+6.+Access+List+Introduction/Access+List+Overview/" target="_blank">http://etutorials.org/Networking/Router+firewall+security/Part+III+Nonstateful+Filtering+Technologies/Chapter+6.+Access+List+Introduction/Access+List+Overview/</A></P> <P>&nbsp;</P> Thu, 13 Aug 2020 17:43:15 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135481#M338282 balaji.bandi 2020-08-13T17:43:15Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135486#M338283 Generally, on the smaller routers, everything is done by the main CPU, without hardware support. (Larger, or more powerful, routers [e.g. 7300 vs. 7200], have some additional hardware to accelerate some functions - some of the largest "routers" are/were really L3 switches, with more functions [e.g. 7600 vs. 6500].)<BR /><BR />On those routers, doing everything in software, something like ACLs, might be done in some way to "optimize" how they are processed. Or, on some routers, starting with the 7200 series, they had an optional "compile" ACL function, which was supposed to greatly increase performance for long ACLs. (Much of such optimization is likely considered proprietary.) Thu, 13 Aug 2020 17:48:17 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135486#M338283 Joseph W. Doherty 2020-08-13T17:48:17Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135494#M338285 Ah, thank your for the explanation, Joseph. I was hoping to find exactly how the 4331 router did it, but I've had no luck thus far. Is it safe to assume that if there's no way to configure the SDM on a device, then that that device does not use hardware based TCAM? Thu, 13 Aug 2020 17:59:43 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135494#M338285 WGL_BK 2020-08-13T17:59:43Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135496#M338286 Thank you, Balaji. I'll get to reading through this. Thu, 13 Aug 2020 18:00:24 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135496#M338286 WGL_BK 2020-08-13T18:00:24Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135532#M338291 <P>A device not supporting a SDM template doesn't insure there's not any TCAM. What the SDM does, is tell the device how you would like the TCAM resources allocated (among vendor allowed choices).<BR /><BR />Again, how Cisco, for something like a 4331 actually/exactly does ACL processing, is likely considered proprietary, which if so, would very much explain why you cannot find any documentation on that.<BR /><BR />The CPU would likely do some boolean operation(s) between the packet vs. the ACL. Again, if Cisco is clever, they might "optimize" how the comparison is actually done. For example, given:<BR /><BR />access-list 10 deny host 192.168.1.0<BR />access-list 10 deny host 192.168.1.1<BR />access-list 10 deny host 192.168.1.2<BR />access-list 10 deny host 192.168.1.3<BR />access-list 10 deny host 192.168.1.4<BR />access-list 10 deny host 192.168.1.5<BR />access-list 10 deny host 192.168.1.6<BR />access-list 10 deny host 192.168.1.7<BR /><BR />There's eight ACEs, in the above ACL, but they can be done as one ACE, as:<BR /><BR />access-list 10 deny 192.168.1.0 0.0.0.7<BR /><BR />Doing one operation rather than eight, should be eight times faster. One question would be, is the IOS "smart enough" to automatically do just the one operation rather than the eight?<BR /><BR />Or given:<BR /><BR />access-list 10 deny host 192.168.1.2<BR />access-list 10 deny host 192.168.1.3<BR />access-list 10 deny host 192.168.1.4<BR />access-list 10 deny host 192.168.1.5<BR />access-list 10 deny host 192.168.1.6<BR />access-list 10 deny host 192.168.1.7<BR /><BR />This could be done as:<BR /><BR />access-list 10 permit 192.168.1.0 0.0.0.1<BR />access-list 10 deny 192.168.1.0 0.0.0.7<BR /><BR />Two operations are better than six. Again, does the IOS figure this out?<BR /><BR />Or course, you can (perhaps) optimize ACL processing, by providing the ACL with optimal ACEs.<BR /><BR />That aside, as noted in my other post, what you would do would be compare the packet's source IP, with the information in the ACE.<BR /><BR />For example, if packet had an source IP of 192.168.1.3, depending on the ACE you would logically compare that source IP with both the address and mask values in the ACE, determining if there's a match. A source IP of 192.168.1.3 would match host 192.168.1.3 or 192.168.1.0 0.0.0.7.<BR /><BR />Understand, also, what boolean operations some hardware provides (to the CPU) can impact the actual "how" for some operations.</P> Thu, 13 Aug 2020 18:47:19 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135532#M338291 Joseph W. Doherty 2020-08-13T18:47:19Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135542#M338294 Thank you again, Joseph. You've been most helpful. Thu, 13 Aug 2020 19:02:12 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135542#M338294 WGL_BK 2020-08-13T19:02:12Z https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135563#M338298 <P>Oh, my examples were simple, but the two boolean operators used, for actual matching packet's attributes (in my examples, just source IP address) against ACE are (I believe) the boolean And and Xor operators.<BR /><BR />To see how the IOS, or you, could combine multiple ACEs into one, you might read: <A href="https://www.imedita.com/blog/wildcard-masks" target="_blank" rel="noopener">https://www.imedita.com/blog/wildcard-masks</A>.</P> Thu, 13 Aug 2020 19:47:19 GMT https://community.cisco.com/t5/routing-and-sd-wan/how-do-routers-handle-access-lists/m-p/4135563#M338298 Joseph W. Doherty 2020-08-13T19:47:19Z