Hello,
I have a large access list of host networks that I wish to deny on a Cisco 1941 ISR. The list is about 9000 lines of subnets, but I'm sensing that an access-list this large would make the router grind to a halt.
This deployment uses the zone firewall - am I correct in thinking that this large deny list would impact the router's performance, substantially?
I'm curious to hear what others are doing to deny large lists of subnets on the ISR platform. The alternative that comes to mind would be to place a transparent firewall (NetBSD or pfSense) in front of the 1941, since pf tables can do this type of filtering quite efficiently.
Any input is appreciated