<div>
There's tons of evidence and recommendations that you optimize your ACLs to put the most-hit clauses as close to the top as your policy will allow. &nbsp;Long ACLs don't necessarily mean more latency or CPU utilization, but long ACLs where packets match very far down in the ACL (i.e. a final permit ip any any after 2000 lines) do mean more latency and CPU utilization.<br />
<br />
On high-end routers, Cisco offers &quot;turbo ACLs&quot; which do not increase CPU load or latency based on ACL length. &nbsp;That alone is evidence that ACL length (with respect to where in the ACL most packets match) matters.
</div>


There's tons of evidence and recommendations that you optimize your ACLs to put the most-hit clauses as close to the top as your policy will allow.  Long ACLs don't necessarily mean more latency or CPU utilization, but long ACLs where packets match very far down in the ACL (i.e. a final permit ip any any after 2000 lines) do mean more latency and CPU utilization.

On high-end routers, Cisco offers "turbo ACLs" which do not increase CPU load or latency based on ACL length.  That alone is evidence that ACL length (with respect to where in the ACL most packets match) matters.

<div>
Have you any links for these recommendations?<br />
<br />
Mike
</div>


Have you any links for these recommendations?

Mike

<div>
<div class="content wysiwyg-content">
Hi,<br />
<br />
Is their any evidence to suggest that the longer a Cisco ACL is, the greater the time from packet source to destination? Also, is their any evidence to suggest that the location of an ACL entry within the ACL also determines this time? Any links to evidence would be fantastic.<br />
<br />
Mike
</div>
</div>


Hi,

Is their any evidence to suggest that the longer a Cisco ACL is, the greater the time from packet source to destination? Also, is their any evidence to suggest that the location of an ACL entry within the ACL also determines this time? Any links to evidence would be fantastic.

Mike

Cisco ACL Processing Time

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.