That's a good point. According to some Cisco guys here at networkers,
TurboACLs are even less CP intensive than static routes to null0....cool
Kenny
----- Original Message -----
From: "Erick" <[EMAIL PROTECTED]>
To: "Robert Cabeca" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, June 27, 2000 6:46 PM
Subject: Re: Which access-list increase load the most?
>
> Another thing, you can use the newer TurboACL
> (compiled ACLs) on higher platforms.
>
> access-list compiled
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s6/turboacl.htm
>
> --- Robert Cabeca <[EMAIL PROTECTED]> wrote:
> > Just want to say that this was a great and useful
> > response!!
> > Rob
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Tuesday, June 27, 2000 19:51
> > Subject: Which access-list increase load the most?
> >
> >
> > >
> > >
> > >
> > >It depends (well, what did you expect??)
> > >As a general rule, you're better off putting the
> > access list on the
> > outgoing
> > >interface. That way you don't waste bandwidth by
> > transmitting traffic
> > you're
> > >just going to throw away anyway.
> > >BUT, your *first* priority is to make sure the
> > access list does what you
> > want.
> > >To do this, you may need to use an incoming access
> > list instead.
> > >
> > >Example...
> > >
> > >rtrA -------- rtrB
> > >
> > >Let's say you want to prevent telnet traffic from
> > rtrA to rtrB.
> > >Assume for now that the link between the routers is
> > a serial link (int S0
> > on
> > >both routers).
> > >You could put an outgoing access list on S0 on
> > rtrA:
> > >rtrA:
> > >access-list 101 deny tcp any any eq 23
> > >access-list 101 permit ip any any
> > >int s 0
> > >access-class 101 out
> > >
> > >This will work fine (assuming my access list syntax
> > is correct which I am
> > making
> > >no guarantees about - I haven't checked it). You
> > could put the same access
> > list
> > >on rtrB as an incoming access list instead, and it
> > would have the same
> > effect,
> > >but your telnet traffic would cross the serial link
> > before being dropped -
> > >generally not very efficient.
> > >
> > >OK, what if it's not a serial link, but an
> > ethernet? Time to throw another
> > >router into the mix...
> > >
> > >rtrA -------- rtrB
> > > |
> > > rtrC
> > >
> > >Now, putting that same outgoing access list on rtrA
> > has a different effect
> > to
> > >putting it as an incoming access list on rtrB. If
> > you put the outgoing
> > access
> > >list on rtrA, you will not be able to telnet from
> > rtrA to rtrB *or to
> > rtrC*. If
> > >you put it as an incoming access list on rtrB, you
> > will not be able to
> > telnet
> > >from rtrA to rtrB but you will be able to telnet
> > from rtrA to rtrC.
> > >In this case, where should you put the access list?
> > That depends
> > completely on
> > >what you are trying to achieve with your access
> > list.
> > >
> > >Regardless of where you are putting your access
> > list, try to put the lines
> > that
> > >will get the most hits near the top (again, make
> > sure you don't change the
> > >meaning of the access list if you change the order
> > of statements). The
> > lines of
> > >an access list are checked in order, and once a
> > match for a packet is
> > found, the
> > >rest of the list isn't checked - so if most of your
> > packets match the first
> > >line, rather than the last, your router will spend
> > less time checking
> > access
> > >lists.
> > >
> > >Here endeth the chapter :-)
> > >
> > >JMcL
> > >
> > >---------------------- Forwarded by Jenny
> > Mcleod/NSO/CSDA on 27/06/2000
> > 16:28
> > >---------------------------
> > >
> > >
> > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> > 15:59:31
> > >
> > >Please respond to "K.FUJIWARA"
> > <[EMAIL PROTECTED]>
> > >
> > >
> > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> > >cc: (bcc: JENNY MCLEOD/NSO/CSDA)
> > >Subject: Which access-list increase load the most?
> > >
> > >
> > >
> > >Hi, all.
> > >
> > >Though the null interface is the best solution for
> > load in the ruter
> > >CPU, which
> > >extended / standard access-list is the best to
> > reduce the load?
> > >Extended one's result may be depends on where it
> > will be put or the
> > >case, so where
> > >should it be configured? Destination?
> > >If you have some good examples, please show me.
> > >
> > >And then, do you know good tools or utility to
> > monitor the routers
> > >performance on
> > >CPU or RAM in real time?
> > >
> > >Kazuyo Fujiwara
> > >MCSE/CCNA
> > >Japan Kobe
> > >
> > >
> > >
> > >___________________________________
> > >UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > >FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > >Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >___________________________________
> > >UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > >FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > >Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >
> >
> > ___________________________________
> > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
>
> =====
> - Erick B. | erickbe(a)yahoo.com | http://berk.dhs.org
>
> __________________________________________________
> Do You Yahoo!?
> Get Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
