I suggest that you try access lists of thousands of
lines where you need to traverse most of the list to get packets
through. 20 seems like it is much too small, and if you keep matching
the lines at the top, it isn't a fair test of the opinion.
Jeff
> Hello,
>
> I want to verify an opinion that number of=20
> clauses in access - list can dramatically affect
> performance of filtering (screening) router.
> Especially it was told about Cisco routers
> by someone who pretends to be an authority.
>
> But before I have sent this question, I tried to verify
> it. And it seems, that this is not true...
>
> 1. I transfer great file betweeh two 10Mb/s Ethernet subnets
> connected by Cisco router, using via ftp.
> I tested cases where at the "input" interface there was
> no inbound access-list and access-lists with 4, 10 and 20
> clauses that should've been processed before proper clause
> appeared and packed could have been passed.
>
> Result ???
> In all cases transfer rate was about 770 kB/s=20
> - just about the saturation of Ethernet 10Mb/s link ! =20
>
> 2. Access-list can be fine optimized, so clauses that
> are often applied may appear nearly at the beginning
> of the list, for example:
> "access-list XXX permit tcp ..... established",
> with no security holes.
>
>
> That's why I think that such opinion is not true.
> But, maybe, there are some other experiences ???
>
> Thanks
>
> Piotr
>
> +----------------------------+
> | Piotr Kolodziej |
> | e-mail: pkol @
otago .
gda .
pl |
> +-------------------------------------------------+
> | ZUI Otago sp. z o.o. | tel/fax: |
> | ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 |
> | 80-865 GDANSK, POLAND | (+48 58) 43 05 19 |
> +-------------------------------------------------+
>
>
--
Jeff Sedayao
Intel Corporation
sedayao @
orpheus .
sc .
intel .
com
References:
|
|
