Example 42 Standard Access List with Lots of deny Statements

access-list 25 deny 165.21.10.10 access-list 25 deny 171.68 34.1 access-list 25 deny 192.34.5.10

. many deny entries access-list 25 deny 141.43.10.100 access-list 25 permit all

As the length of the policy filter increases, the burden on the processing power of the router reaches a point at which it is at 99 percent CPU utilization. Added to this is the 100 percent to 200 percent growth rate of the Internet. This means that as the PPS

load on the router increases from the natural growth of the network, the CPU load and packet latency from ACL processing also increase, affecting the overall end-to-end bandwidth performance. To keep the ACL a relevant tool on the Internet, improvements need to be added to allow ACLs to scale. Faster processors, distributed processing, dedicated ASIC/TCAMs, and special flow-based switching technologies have been added to various Cisco products to allow ACLs to continue to keep pace with the Internet's growth. Yet, while keeping pace with the growth of the Internet, it is understood that sequential ACLs have limitations. One way around these limitations is to use a new way to process packets through an ACL: Turbo ACLs.

Was this article helpful?

0 0

Post a comment