Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
1
Replies

Denying External Hosts by Country in IOS

seattleit
Level 1
Level 1

‎02-15-2012 11:44 AM - edited ‎03-04-2019 03:16 PM

Hello,

I have a large access list of host networks that I wish to deny on a Cisco 1941 ISR. The list is about 9000 lines of subnets, but I'm sensing that an access-list this large would make the router grind to a halt.

This deployment uses the zone firewall - am I correct in thinking that this large deny list would impact the router's performance, substantially?

I'm curious to hear what others are doing to deny large lists of subnets on the ISR platform. The alternative that comes to mind would be to place a transparent firewall (NetBSD or pfSense) in front of the 1941, since pf tables can do this type of filtering quite efficiently.

Any input is appreciated

Labels:
0 Helpful
1 Reply 1

Jeff Van Houten
Level 5
Level 5

‎02-15-2012 06:16 PM

Yes a 9000 line acl is going to have an impact.

Are you sure you can't supernet some of these and reduce the count?

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card