topic Does the order of the ACL affect the CPU and other resources on the firepower FTD in Network Security

Does the order of the ACL affect the CPU and other resources on the firepower FTD

Alex-Pr — Thu, 18 Feb 2021 19:12:53 GMT

I am curious, for all the Allow rules, does the order of the access control policy affect the platform in a large way?

What I mean is if there are a few hundred rules, is it important to put the most active flows at the top of the list and the rules that seldom get hit at the bottom?

I can see time sensitive flows like voice traffic being important to be at the top of the list.

Overall, does it make a big impact to manage the order of the access policy or is the difference negligible?

Thank you.

Re: Does the order of the ACL affect the CPU and other resources on the firepower FTD

MHM Cisco World — Thu, 18 Feb 2021 19:36:44 GMT

The CPU search match according to order of enter ACL, and hence it good for voice.

very good point.

Re: Does the order of the ACL affect the CPU and other resources on the firepower FTD

Mike.Cifelli — Thu, 18 Feb 2021 20:20:17 GMT

IMO this depends on the type of hardware you are running. AFAIK the 4110s can support up to 1.5 million ACEs (access control entries), and each platform has different support numbers. I would recommend looking at your specific platform data sheet for a more accurate understanding of the limitations. For FTD traffic handling have you considered prefilter policies to fastpath certain traffic? Pre-filtering is the first thing that gets checked in relation to the access control phase. Fastpath essentially allows you to bypass further evaluation from within the snort engine. If you want to see more about traffic handling see here: Understanding Firepower Packet Processing (learnitwithcifelli.com). HTH!