Cisco ASR 1002- performance issue due to access list

ankit.joshi · ‎10-13-2014

Hi,

We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.

I want to know, would there be any performance or latency issues after applying 16k lines of acl?

Is there a good document where I can read more about ACL limitations and performance issues on ASR.

This is for ASR1002, running IOS-XE 15.3(1)S1.

Thanks

Joseph W. Doherty · ‎10-14-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation. See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo

papage · ‎02-07-2015

Hi,

I don't know if a 16K acl is supported on ASR1002 platform, but since you mention that you want to filter whole subnets, I would suggest to blackhole them, by routing them to null on your ASR. 16K routes to null are not that much and are definitely supported without impact.

Sp