Hello,
I want to verify an opinion that number of
clauses in access - list can dramatically affect
performance of filtering (screening) router.
Especially it was told about Cisco routers
by someone who pretends to be an authority.
But before I have sent this question, I tried to verify
it. And it seems, that this is not true...
1. I transfer great file betweeh two 10Mb/s Ethernet subnets
connected by Cisco router, using via ftp.
I tested cases where at the "input" interface there was
no inbound access-list and access-lists with 4, 10 and 20
clauses that should've been processed before proper clause
appeared and packed could have been passed.
Result ???
In all cases transfer rate was about 770 kB/s
- just about the saturation of Ethernet 10Mb/s link !
2. Access-list can be fine optimized, so clauses that
are often applied may appear nearly at the beginning
of the list, for example:
"access-list XXX permit tcp ..... established",
with no security holes.
That's why I think that such opinion is not true.
But, maybe, there are some other experiences ???
Thanks
Piotr
+----------------------------+
| Piotr Kolodziej |
| e-mail: pkol @
otago .
gda .
pl |
+-------------------------------------------------+
| ZUI Otago sp. z o.o. | tel/fax: |
| ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 |
| 80-865 GDANSK, POLAND | (+48 58) 43 05 19 |
+-------------------------------------------------+
Follow-Ups:
|
|
