Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
1
Replies

2800 ACL Config to help reduce High CPU

leon harvey
Level 1
Level 1

‎01-23-2008 07:35 AM - edited ‎02-20-2020 09:40 PM

I'm trying to Optimze the ACLs on a 2800, as the ACLs (which there are many and Large) to help reduce CPU (60%).

Which is better for the CPU on the config of the ACL

permit tcp host A.B.C.D host A.B.C.D eq 1000 1501 2000 2500 4000 8001

or

permit tcp host A.B.C.D host A.B.C.D eq 1000

permit tcp host A.B.C.D host A.B.C.D eq 1500

etc

Is it the number of lines and/or number of ports

Labels:
0 Helpful
1 Reply 1

leon harvey
Level 1
Level 1

‎01-25-2008 05:56 AM

1 line with many ports or many lines with 1 port equates to the same.

Remember CLI can look tidy to us but behind the scenes the router still has to do the same lookup on a packet for that port.. so the ACL method does not really matter.

On PIX/ASA you can do turboACL which compiles the ACL in binary to speed lookups up (meant for huge ACLs though (thousands of lines).

Even object groups on PIX/ASA are just to make life easy on CLI, still a lookup on each port.

So in summary, nothing you can do.. If the ACL's keep growing and as CPU average gets higher maybe we need to look at getting proper firewalls (ASA) in to do the firewall function.

Router IOS firewall throughput is lower than a proper firewall.

0 Helpful
Customers Also Viewed These Support Documents