> I want to verify an opinion that number of=20
> clauses in access - list can dramatically affect
> performance of filtering (screening) router.
> Especially it was told about Cisco routers
> by someone who pretends to be an authority.
>
> But before I have sent this question, I tried to verify
> it. And it seems, that this is not true...
>
> [specific test deleted]
>
> 2. Access-list can be fine optimized, so clauses that
> are often applied may appear nearly at the beginning
> of the list, for example:
> "access-list XXX permit tcp ..... established",
> with no security holes.
You are right to question the pretend authority.
Your test shows similar results to others I have read about.
Since much of the performance improvement has occurred with recent
versions of the Cisco IOS, the pretend authority may just have old info.
It also matters how the access-list is applied.
With many router architectures, even with the newer IOS,
applying the access-list on inbound traffic instead of outbound traffic
drops the switching mode from fast to process.
This change disables the optimization of the forwarding process.
When process-switching the access-list, the length of the list also matters,
although the optimization you described is possible.
However, the position of a control rule in the list also determines its
precedence of application (there can be conflicts even when it is done right).
If raw speed is really needed, and the access-list is long, there is brute force.
Cisco has a Silicon Switch Processor for the Cisco 7000 that can autonomously switch
(their fastest mode) outbound access-lists at wire speed.
We have this operating between FDDI (100 Mbps) links.
|
|
