cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1704
Views
0
Helpful
3
Replies

Performance hit w/ long ACL in QOS class-map on WAN routers

Dan Verzaal
Level 4
Level 4

Hi Everyone,

I've been searching high and low for specific information on my question but I can't seem to find just what I need...

Other than testing on real equipment, I'm wondering of the performance impact a long ACL inside a class-map used for classification inside of a QOS policy would be...

For example. A class-map is marking traffic with an ACL that has 5 entires, vs. a class-map that is marking traffic with 50 entries? 100 entries? 1000 entries?  I would assume there is some impact, depending on traffic throughput, load of other services, etc.  Has anyone experienced a similar design in production environment where they had very long ACL's within class maps nested in a QOS Policy-map?

========================================

class-map match-any Scavenger

match access-group name Scav_ACL_Short

ip access-list extended Scav_ACL_Short

permit ip any 192.168.1.1

permit ip any 192.168.1.2

permit ip any 192.168.1.3

permit ip any 192.168.1.4

permit ip any 192.168.1.5

==========================================

Compared to...

=========================================

class-map match-any Scavenger

match access-group name Scav_ACL_Long

ip access-list extended Scav_ACL_Long

permit ip any 192.168.1.1

permit ip any 192.168.1.2

permit ip any 192.168.1.3

permit ip any 192.168.1.4

permit ip any 192.168.1.5

<output omitted> (entries all the way from 1 through 102)

permit ip any 192.168.1.99

permit ip any 192.168.1.100

permit ip any 192.168.1.101

permit ip any 192.168.1.102


CCIE RS 34827
3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I've dealt with very long ACLs, and on a software based router, they of course do have some performance impact, but the variables are so many, it's practically impossible to predict performance.

For example, given your "Scav_ACL_Long", does your platform supported complied ACLs?  If so, enabled?

If you actually had a real instance of your "Scav_ACL_Long", if you created mask groups, that covered ranges, would that impact performance? Does the IOS do this automatically, like L3 switches might when they program their hardware?

If each ACE was actually compared sequencially, but 99% of your traffic matched 192.168.1.99, how's performance impacted if you make it the 1st ACE?

PS:

BTW, I don't expect you to know the answers to the above questions.  I'm just using them to highlight some variables that might drastically change performance, yet logically there's no changes.

Thanks for the reply Joseph.

We are dealing with ISR routers, 1800s, 1900s, 2800s 2900s, 3800s, 3900s.  Also using some ASR and 7200s but I'm sure they have plenty of CPU to cover anything we're looking at doing here... Our ASRs are hardly using 1% CPU.

I'm not sure about the compiled ACLs, would that be a feature I could find maybe in Cisco Feature Navigator or the product data sheet?

Right now our scavenger classification ACL is very short, less than 10 lines.  But we are looking to add a number of various servers all over the world so we have a complete ACL which may be around 50-100 entries.  Optimizing the order of the ACE's wont really be an option for this scenario.

It seems like the easiest thing is going to be to lab this up and/or test the longer class-map (longer ACL) on a production circuit that has a decent load on it, we can do this during an outage window just incase it were to cause any issue, we could then remove it and rollback to the shorter ACL.

Thanks,
Dan

CCIE RS 34827

CCIE RS 34827

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

I'm not sure about the compiled ACLs, would that be a feature I could find maybe in Cisco Feature Navigator or the product data sheet?

See http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dttacl.html

I've used it on 7200s.  Some of the earlier 12.4 IOS releases allowed it on ISRs until the "bug" was fixed.  Unknown if supported on any later ISR or ASRs.

Review Cisco Networking for a $25 gift card