Link to home
Start Free TrialLog in
Avatar of PsiCop
PsiCopFlag for United States of America

asked on

How long is too long for an ACL?

Router: Cisco 827-4V (ADSL-to-Ethernet)

I have an ACL in on the Di0 interface, to protect the network against scanners, Windoze malware, etc. etc. Mostly a series of tcp permits and denies, with a few udp permits/denies and 4 ICMP permit/deny lines. Roughly one line of REMARK for every line of actual ACL.

How big can the ACL get before it impedes performance? That is, is there some point, in terms of number of statements, where the average ACL is starting to significantly affect the performance of the router? Assume that the ACL results are periodically checked and it is more or less optimized by moving the statements most often used closer to the top of the ACL (as the logic of it permits).

Am I correct in assuming that REMARK lines do not impinge on performance?

Are there specific things, beyond optimizing ACL order, that can be done to improve the ACL's performance?
Avatar of Les Moore
Les Moore
Flag of United States of America image

Length of acl is determined by the processor speed of the router. Monitor CPU utilization and if it is high, then reduce the acl length.
Low end routers like the 800 series can't take too much.


Couple of ideas -
To improve ACL performance, monitor the hit counts periodically and move any lines with high hit counts to the top of the acl. Any entry with 0 hits after an extended period consider removing.

If you permit only what you want, then there is no value in adding specific denies. The only time I use a specific deny line is if I don't want to see the denied packets in my log. For example, with some the latest worms/viruses, many probes to port 9898, so I added an entry to deny them, but not log because the last line in my acl is 'deny ip any any log', and my log files were filling up.

You might also look into using turbo acls (compiled)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080374.html

I have yet to have such a long acl that I needed to implement this..
Avatar of PsiCop

ASKER

I think I stated in my original message that I do periodically review the ACL results (# sh access-lists) and modify the ACL to make sure the statements being hit the most percolate to the top as far as the ACL's logic will allow.

Yes, that's the very reason I have specific DENY statements, to avoid my "deny ip any any log" line from generating a blizzard as the Script Kiddies probe my network boundaries.

"Low end routers like the 800 series can't take too much"

How much is too much? Can you express that in terms of number of statements?
SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PsiCop

ASKER

Exclusive of REMARK lines, the ACL is about 60-65 lines total.

How do I check CPU utilization?

I do have the firewall feature-set, but I am not currently using it, just the ACL. No VPNs, and the router is not doing DHCP, NAT or PAT. Only one entry with the "log" keyword (the "deny ip any any log" at the end).
>How do I check CPU utilization?
MRTG....
http://www.mrtg.org

Else, Solarwinds Orion . Free 30-day eval

http://www.solarwinds.net
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PsiCop

ASKER

Thank you, fatlad. I'm ashamed to admit that this CCNA didn't know that one.

I check of the CPU history shows that in the past 72 hours, total CPU utilization has not gone above 30%. Of late, the most-used process seems to be the Check-Heap process, and its only consuming 1.75% of the CPU.

In short, I don't think my 65+ line ACL is overloading my 827-4V. I'll continue to monitor it and refine my ACL.

I'm going to split points, with the bulk to fatlad for pointing me to that IOS command.