> I suggest that you try access lists of thousands of
> lines where you need to traverse most of the list to get packets
> through. 20 seems like it is much too small, and if you keep matching
> the lines at the top, it isn't a fair test of the opinion.
> ...
> Jeff Sedayao
> Intel Corporation
> sedayao @
orpheus .
sc .
intel .
com
Sure. I do not suppouse, that there's no sufficient number
of lines in access list that slows down the router.
But, I suppose, in most cases there's a possibility to place
the most heavily used clauses at the beginning of list
without making a security hole.
Of course, someone may not trust some features, such as
"established" key-word in tcp clauses.
(I'm not quite sure, but few years ago there was a problem with that.
Are there some problems now ?).
But if someone trusts it, then the greatest amount of traffic
is matched by that clause. So even if there's a need to apply list
of thousands of lines, it should not dramatically slow down.
Finally, there is a question:
Is there a real need to apply such kind of lists, that in case of every
packet thousands of lines must be traversed and it can't be optimized ???
Maybe, there's but I simply do not know it.
Piotr
+----------------------------+
| Piotr Kolodziej |
| e-mail: pkol @
otago .
gda .
pl |
+-------------------------------------------------+
| ZUI Otago sp. z o.o. | tel/fax: |
| ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 |
| 80-865 GDANSK, POLAND | (+48 58) 43 05 19 |
+-------------------------------------------------+
|
|
