> Folks have been mentioning performance loss due to access-lists.
> I've never actually been able to observe the performance loss,
> even though we have a couple of fairly large access-lists
> (ours are on ciscos). I am not saying it isn't there, just that
> either it's so small it doesn't make a difference for us, or else
> something else is the bottleneck on that segment anyway. :-)
> Has anyone here actually had noticeable or problematic
> performance degradation due to the processing of access-lists?
> If so, what platform and how big was the list? Thanks.
> Catherine Foulston cathyf @
edu Rice University Network Management
There may be a small or large performance hit from access lists;
there is no real rule of thumb. Some of the ambiguity of the
performance impact depends on the release level, and what the
previous configurations looked like.
One of the issues is that access lists are checked in the main
processor. Cisco has four potential packet forwarding modes: process[or],
fast, autonomous, and silicon. Typically, adding an access list
forces the higher speed switching modes into slower ones. The
exact change varies with OS release, the type of traffic being
If you are already doing process switching for other reasons
(and there can be perfectly good ones), adding an access list
may not show an obvious change in performance. Other factors, of
course, will include the length of the access list.
Assume that you are doing process switching. You might be doing
other things in that same processor that compete for machine
cycles (e.g., serial line tunneling, compression, etc.).
Not a simple problem.