How long is too long for an ACL?

Router: Cisco 827-4V (ADSL-to-Ethernet)

I have an ACL in on the Di0 interface, to protect the network against scanners, Windoze malware, etc. etc. Mostly a series of tcp permits and denies, with a few udp permits/denies and 4 ICMP permit/deny lines. Roughly one line of REMARK for every line of actual ACL.

How big can the ACL get before it impedes performance? That is, is there some point, in terms of number of statements, where the average ACL is starting to significantly affect the performance of the router? Assume that the ACL results are periodically checked and it is more or less optimized by moving the statements most often used closer to the top of the ACL (as the logic of it permits).

Am I correct in assuming that REMARK lines do not impinge on performance?

Are there specific things, beyond optimizing ACL order, that can be done to improve the ACL's performance?
LVL 34
PsiCopAsked:
Who is Participating?
 
fatladConnect With a Mentor Commented:
urm, show processes cpu ? Its part of IOS!
0
 
lrmooreCommented:
Length of acl is determined by the processor speed of the router. Monitor CPU utilization and if it is high, then reduce the acl length.
Low end routers like the 800 series can't take too much.


Couple of ideas -
To improve ACL performance, monitor the hit counts periodically and move any lines with high hit counts to the top of the acl. Any entry with 0 hits after an extended period consider removing.

If you permit only what you want, then there is no value in adding specific denies. The only time I use a specific deny line is if I don't want to see the denied packets in my log. For example, with some the latest worms/viruses, many probes to port 9898, so I added an entry to deny them, but not log because the last line in my acl is 'deny ip any any log', and my log files were filling up.

You might also look into using turbo acls (compiled)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080374.html

I have yet to have such a long acl that I needed to implement this..
0
 
PsiCopAuthor Commented:
I think I stated in my original message that I do periodically review the ACL results (# sh access-lists) and modify the ACL to make sure the statements being hit the most percolate to the top as far as the ACL's logic will allow.

Yes, that's the very reason I have specific DENY statements, to avoid my "deny ip any any log" line from generating a blizzard as the Script Kiddies probe my network boundaries.

"Low end routers like the 800 series can't take too much"

How much is too much? Can you express that in terms of number of statements?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
lrmooreConnect With a Mentor Commented:
If you're looking for a hard-and-fast rule, there ain't one.
I've personally never had occasion to have over 100 entries in an ACL on any router, and have never pushed a router to anywhere near its limits.
How many entries do you have, and what is the current CPU utilization of the router?
There are too many variables. Do you have the firewall feature set? Do you have VPN's? What else are you doing that stresses the CPU on the router? How many entries do you have with "log" keyword?

The true answer is - however many your CPU can handle, given whatever else it is being asked to do..
According to Cisco: "hits to an ACL entry that uses the log keyword will increase CPU utilization. The performance impact associated with logging will vary with by platform."

Sorry I can't provide any more definitive answer than that..

0
 
PsiCopAuthor Commented:
Exclusive of REMARK lines, the ACL is about 60-65 lines total.

How do I check CPU utilization?

I do have the firewall feature-set, but I am not currently using it, just the ACL. No VPNs, and the router is not doing DHCP, NAT or PAT. Only one entry with the "log" keyword (the "deny ip any any log" at the end).
0
 
lrmooreCommented:
>How do I check CPU utilization?
MRTG....
http://www.mrtg.org

Else, Solarwinds Orion . Free 30-day eval

http://www.solarwinds.net
0
 
PsiCopAuthor Commented:
Thank you, fatlad. I'm ashamed to admit that this CCNA didn't know that one.

I check of the CPU history shows that in the past 72 hours, total CPU utilization has not gone above 30%. Of late, the most-used process seems to be the Check-Heap process, and its only consuming 1.75% of the CPU.

In short, I don't think my 65+ line ACL is overloading my 827-4V. I'll continue to monitor it and refine my ACL.

I'm going to split points, with the bulk to fatlad for pointing me to that IOS command.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.