10-13-2014 05:20 PM - edited 03-04-2019 11:57 PM
Hi,
We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.
I want to know, would there be any performance or latency issues after applying 16k lines of acl?
Is there a good document where I can read more about ACL limitations and performance issues on ASR.
This is for ASR1002, running IOS-XE 15.3(1)S1.
Thanks
10-14-2014 05:18 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation. See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo
02-07-2015 12:33 AM
Hi,
I don't know if a 16K acl is supported on ASR1002 platform, but since you mention that you want to filter whole subnets, I would suggest to blackhole them, by routing them to null on your ASR. 16K routes to null are not that much and are definitely supported without impact.
Sp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide