The article below appeared quite a while ago on this list. I
recently spoke to cisco's customer support about the effects of
access lists on routing speed. Cisco's support person, after
consulation with others in his group, stated that extended access
lists require the help of the CSC processor, but standard access
list filtering is done in the intelligent routing boards (e.g. a
MEC). He said the degradation should be minimal with a standard
access list. Has anyone done any tests to corroberate this?
I'd like to use an extended access list on my net with the
firewall machine, where performance isn't as much of an issue,
and use simple, standard access lists on all of my other internal
interfaces. This leads to my next question: would mixing
standard and extended access lists on a router degrade routing to
the interfaces with the standard interfaces?
Any experience would be greatly appreciated. Thanks.
Michael Platoff email: map @
scr .
siemens .
com
Siemens Corporate Research phone: (609) 734-3354
755 College Road East fax: (609) 734-6565
Princeton, NJ 08540-6668
smb @
research .
att .
com writes:
> The following measurements of the speed of packet-filtering on
> Cisco routers appeared on another mailing list. It's reposted
> here with permission.
>
> --Steve Bellovin
>
> ------- Forwarded Message
>
> Date: Thu, 27 Jan 94 13:00:47 EST
> From: mark @
escact .
ksc .
nasa .
gov (Mark Gibbons)
> Message-Id: <9401271800 .
AA14211 @
escact .
ksc .
nasa .
gov .
nasa .
gov>
> To: cisco @
spot .
colorado .
edu
> Subject: Re: Benchmarking of filters.
>
>
> Well, I couldn't get everything I wanted but here is a rough list that
> indicates the effect of access lists on throughput. We did look at CPU
> but did not record it, however I don't recall any concern about the %
> utilization.
>
> Test config:
> Cisco AGS+ CSC/4 running 9.1(2). The AGS had 1 serial & 4 ethernet ports
> configed to route IP, DEC, Novell & AppleTalk, but we only used single
> stream IP data. We used a PowerBits ethernet tester to deliver Ip packets
> to the router & determine throughput rate. The access list was set up so
> that the last line of the list was the one which would permit the packet
> (this being the worst case).
>
> In Packet Per Second
> Pkt
> size Loopback 0 40 80 120 160 200 <--list size
> 64 14787 13307 9300 7695 6769 5561 4661
> 128 8418 8224 6537 5583 5157 4486 3851
> 256 4521 4521 4047 3679 3475 3121 2830
> 512 2348 2336 2293 2172 2097 1968 1849
> 768 1585 1577 1585 1541 1504 1435 1372
> 1024 1196 1192 1191 1196 1173 1130 1090
> 1280 960 958 958 960 960 932 904
> 1518 811 811 811 811 811 811 800
>
> List size has little to no effect on large packet streams, however studies
> show 66% of our traffic is < 128 byte packets (Scott Bradner's numbers tend
> to show that is not abnormal). I ran this test using CSC/3 CPU with no list
> & with an 80 entry list & got these numbers:
>
> Pkt
> size 0 80
> 64 9274 3479
> 128 6569 3017
> 256 4241 2410
> 512 2348 1719
> 768 1585 1333
> 1024 1196 1089
> 1280 960 920
> 1518 811 805
>
> You can see the CSC/4 is clearly superior in this test.
>
> If I get requests for more info I will look for other test files & post,
> as time permits. If you need info on the PowerBits, or Bradner's work
> at Harvard just ask.
>
> Sorry this is not more complete,
> me
> ------- End of Forwarded Message
>
|
|
