Optimize Access List for Efficient CPU Usage

S Kumar · ‎01-20-2017

I have an access list at Cisco7206-NPEG2 router. I am wandering which is the most efficient method to create an access list which takes least amount of CPU resources. CPU utilization on the router goes 70-80% (sometimes even more) during the peak time.

object-group network objInternalHosts
     host 1.1.1.1
      host 1.1.1.2
      host 1.1.1.3
      host 1.1.1.4

object-group network objExternalHost1
host 1.2.2.3
host 1.3.3.4
      host 1.4.4.5

object-group network objExternalHost2
host 2.2.2.3
host 2.3.3.4
      host 2.4.4.5

Methog 1: By grouping then into object groups. I have one group of 5 IPs for internal hosts. and 30 groups of 3 to 4 IP's per group for external hosts.

access-list 110 permit udp object-group objInternalHosts object-group objExternalHost1 eq 5080
access-list 110 permit udp object-group objInternalHosts object-group objExternalHost2 eq 5080

Method2: Creating separate line for each combination of internal and external host.
access-list 110 permit udp host 1.1.1.1 host 1.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.1 host 1.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.1 host 1.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.2 host 1.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.2 host 1.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.2 host 1.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.3 host 1.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.3 host 1.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.3 host 1.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.4 host 1.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.4 host 1.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.4 host 1.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.1 host 2.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.1 host 2.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.1 host 2.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.2 host 2.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.2 host 2.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.2 host 2.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.3 host 2.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.3 host 2.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.3 host 2.4.4.5 eq 5080
access-list 110 permit udp host 1.1.1.4 host 2.2.2.3 eq 5080
access-list 110 permit udp host 1.1.1.4 host 2.3.3.4 eq 5080
access-list 110 permit udp host 1.1.1.4 host 2.4.4.5 eq 5080

Joseph W. Doherty · ‎01-20-2017

If you're not already using, see if the Turbo ACL feature (complied ACLs) is supported on your IOS, if so, you might try that.