I thought on some platforms there was a way to cache the ACLs and or policy route-maps so they could be fast/CEF/mls switched. Like the logic got copiled and pushed into silicon (or something like that). Is there any vlaidity to that?
Anthony Pace ""Brunner Joseph"" wrote in message news:[EMAIL PROTECTED]... > Just remember if you run CEF on this router or fast switching (as you > should) it will process switch if you apply access-lists to interfaces. > > Any time you apply ip policy (policy routing) or access lists it really > hammers the cpu. Do you run MRTG ? If you do consider graphing the CPU of > your router. I used to run about 80 to 100 % without cef, (process > switching) now I run around 10 to 20 % with cef. Consider using "routes to > null" or the bit bucket instead of access lists (unless your using the ACL's > for your first line of security). If you are just nuking bogus websites, or > rfc 1918 space consider - > > ip route 10.0.0.0 255.255.255.0 null0 > ip route 172.16.0.0 255.240.0.0 null0 > ip route 169.254.0.0 255.255.0.0 null0 > ip route 192.168.0.0 255.255.0.0 null0 > > instead of > > ! > ip access-list 101 deny ip 10.0.0.0 0.255.255.255 any > ip access-list 101 deny ip 172.16.0.0 0.15.0.0 any > ip access-list 101 deny ip 169.254.0.0 0.0.255.255 any > ip access-list 101 deny ip 192.168.0.0 0.0.255.255 any > ! > int s0/0 > ip access-group 101 in > > The difference is night and day for a 3600 cpu. > > Joseph Brunner > ASN 21572 > MortgageIT MITLending > New York, NY 10038 > (212) 651 - 7695 Voice Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41857&t=41738 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
