> Has anyone here actually had noticeable or problematic
> performance degradation due to the processing of access-lists?
> If so, what platform and how big was the list? Thanks.
Though I have not done actual measurements, I would speculate that in
some router implementations, incoming access lists on a fast network
interface might create a performance problem, but outgoing access
lists probably won't in situations where the Internet connection is
only 56kb and T1 like most of us have today.
It seems to me that the use of an incoming access lists on an
interface over an outgoing access lists, might, depending on the
design of the router, reduce the buffering capability and the ability
of the router to be be doing simultaneous packet switching and
With outgoing access lists, packets can be held in both input and
output buffers and be passing through intermediate stages of
processing while the access check is done.
With incoming access lists, the packet has to be held on the input
side of the router and you can't do anything else with it until you
complete your access check.
This might affect you if you have a very fast interface on the
internal network and a very slow one on the external network, then the
router might be more prone to dropping incoming packets when it gets
I would think it possible to design a router that can deal with this
situation, but there would be a cost involved in doing so.
I would definitely agree with Paul Traina that it is a better idea to
use outgoing access lists whenever possible. Maybe he could tell us
weather or not there is an actual performance penalty for using
You can also design your access list such that the most frequently
occuring permit cases appear earliest in the access list when
possible. Of course less optimal ordering may be neccessary in some
cases for correctness. The denys for the spoofing attacks most
definitely do need to be at the beginning of the access list. (In
general any deny's need to precede other permits which could
potentially let through undesirable packets).