How long is too long for an ACL?
Posted on 2004-08-24
Router: Cisco 827-4V (ADSL-to-Ethernet)
I have an ACL in on the Di0 interface, to protect the network against scanners, Windoze malware, etc. etc. Mostly a series of tcp permits and denies, with a few udp permits/denies and 4 ICMP permit/deny lines. Roughly one line of REMARK for every line of actual ACL.
How big can the ACL get before it impedes performance? That is, is there some point, in terms of number of statements, where the average ACL is starting to significantly affect the performance of the router? Assume that the ACL results are periodically checked and it is more or less optimized by moving the statements most often used closer to the top of the ACL (as the logic of it permits).
Am I correct in assuming that REMARK lines do not impinge on performance?
Are there specific things, beyond optimizing ACL order, that can be done to improve the ACL's performance?