ASA5520 -- Which is more CPU intensive? Deny ACLs or Object-groups?
Posted on 2008-11-07
I need to block all traffic entering our network from an MPLS interface destined to a handful of "protected" subnets (mostly RFC 1918) but allow it out the Internet interface...Which of these is least cpu intensive, or is there perhaps a better way to do this?
1) Make an object-group that contains all of the subnets I want to allow traffic to (all non-RFC 1918 addresses) and let the implicity deny at the end handle blocking traffic to the "protected" subnets, or
2) Make an object-group that contains all of the RFC 1918 subnets and place an explicit deny ACL above the "permit any any" ACLs?
....also....is it generally better to use object-groups or separate ACLs, strictly from a performance perspective?
(5) | (0)
security-levels in ():