I can't find the specific reference, but Network World published a study by Syracuse University a couple of years back. Their results, which were on a 7200, showed this sort of trend -- the impact was significant when you added the first rule, and relatively small for each additional line. 200 line lists took more resources than 3 line lists, but not hugely more.
I am aware of at least one national ISP that uses sufficiently long route filter lists that their configuration will not fit in NVRAM, so they must TFTP it. If they try to copy run start, the machine crashes. At 12:09 PM -0400 4/22/02, Ole Drews Jensen wrote: >Hmm, that's more than I had expected... > >Thanks, > >Ole > > > >-----Original Message----- >From: Marc Thach Xuan Ky [mailto:[EMAIL PROTECTED]] >Sent: Monday, April 22, 2002 10:00 AM >To: Ole Drews Jensen >Cc: [EMAIL PROTECTED] >Subject: Re: ACL - Let's put some numbers on... [7:41738] > > >Some time ago I was messing about with a 3640 and IIRC I measured about >70k pps (unidirectional traffic) with no acls. An acl where the traffic >was permitted on the first line dropped it to about 55k pps. Pushing >the permit acl lines down the list dropped another approx 1% >throughput for each line processed. The IOS was probably 11.2. >rgds >Marc > >Ole Drews Jensen wrote: >> >> My first line of defence is a 3620, and I am using and ACL on the outside >> interface for incoming traffic, trying to stop some of 'bad' traffic >before >> it continue to my firewall. I know how to design the access-list so the >most >> often received traffic is checked first, and so on, and I know that I >should >> keep it as simple as possible and not creating a huge access-list with >100's >> of lines. >> >> However, it got me wondering. How much does it slow down the incoming >> traffic everytime I add a new line to my access-list. This is a very hard >> question to answer though, because if created well, most traffic should be >> filtered out before halfway through the access-list, and I guess it also >> depends on the speed of the processor. >> >> If we look at the 3620, it has an 80Mhz RISC processor, so if can someone >> give me a result here? >> >> If we have a full T1 fully loaded with incoming traffic. How long delay >> would there be per line-to-be-checked in an ingoing extended ACL? >> >> Thanks for your comments... >> >> Ole >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Ole Drews Jensen >> Systems Network Manager >> CCNP, MCSE, MCP+I >> RWR Enterprises, Inc. >> [EMAIL PROTECTED] >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> http://www.RouterChief.com >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Need a Job? >> http://www.OleDrews.com/job >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42243&t=41738 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
