Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
0
Helpful
5
Replies

Access list on router causing sever performance problems

rgnwcco
Community Member

‎07-12-2005 08:02 AM - edited ‎03-02-2019 11:21 PM

I have a 3620 router with 2 FE ports connecting 2 LAN's - one to a trusted partner. I have a simple access list applied "in" to the partners interface. The users at the partners office have severe delays or very poor performance when they try to access any resources from my LAN. As soon as I lift the access list off, it gives excellent performance. I tried cutting down on the no. of lines in the access list (Right now I've got just one line), but the effect is the same. What should I be checking for?

Labels:
0 Helpful
5 Replies 5

lgijssel
Level 11
Level 11

‎07-12-2005 08:18 AM

Check that fast switching is enabled on both fe interfaces.

Using process switching can cause considerable delay.

to activate fast switching, use the interface command : no ip route cache

Regards,

Leo

0 Helpful

b-ulrich
Level 6
Level 6
In response to lgijssel

‎07-12-2005 08:27 AM

Guys,

I thought the command 'ip route-cache' turns on fast switching and is usually default. To disable it, use no ip route-cache.

Please correct me if I am wrong.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_command_reference_chapter09186a0080080413.html#xtocid2857366

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to b-ulrich

‎07-12-2005 08:45 AM

Bill

You are correct. ip route-cache enables fast switching and no ip route-cache disables fast switching.

And I do not believe that fast switching (or not) is the issue. The original post said that with access list in place performance was bad and with access list removed performance was good. There was a time in the history of IOS when adding an inbound access list would force process switching and impact performance. But it has been a very long time since that was true. So the router is either fast switching everything or it is process switching everything. (And in fact it is probably CEF switching if the IOS is at all recent.)

So if it sounds like the issue is the access list then I think it would be very helpful if the original poster would supply some specifics about the topology and the content of the access list.

HTH

Rick

HTH

Rick
0 Helpful

rgnwcco
Community Member
In response to Richard Burts

‎07-13-2005 06:12 AM

ip route cache is enabled on the router.

My current access list consists of just one line

ip access-list extended QRLink

permit tcp 172.20.8.0 0.0.3.255 172.17.224.32 0.0.0.7 range 3200 3399

!

interface FastEthernet0/0

ip address 172.17.48.15 255.255.240.0

!

interface FastEthernet1/0

ip address 172.17.80.57 255.255.255.252

ip access-group QRLink in

full-duplex

no cdp enable

!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rgnwcco

‎07-13-2005 09:00 AM

I think there may be an issue with this access list. It permits a range of source addresses (which I assume are the partner's addresses) to a subnet (which I assume are your addresses) for a range of TCP ports. Since there is an implicit deny any any at the end of every access list, there is no UDP allowed through, no ICMP allowed through, and no TCP except for the specific range of ports.

Depending on what they are trying to do this could very well explain poor performance.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents