Absolutely true that it depends -- and it depends on even more factors.
Even more important than the pure CPU load is the switching path that
will be caused by using a given access list (or other feature that
examines traffic). This is especially true on high-end routers with
multiple processors, which can do distributed forwarding and
filtering.
If, for example, you add a filter to a 7500 and don't watch what you
are doing, you could jump from DCEF (that doesn't go through the CPU
at all) to fast switching. Optimum and both NetFlow and Distributed
NetFlow would probably have been better options.
Unfortunately, the rules just aren't simple. The forwarding path for
a particular feature depends on the IOS release level, possibly
microcode levels, platform, and interface type.
>It really depends.
>If you have a small size of routing table but huge
>access-list, you put it inbound. If the most of the
>incoming traffic are not routable by your router, they
>pass through the access-list and get dropped, because
>your router has no routes for them. Under this
>circumstance I think I will put the access-list
>outbound to save the CPU of the router.
>So it is really depends on what situation we have.
>
>Thanks
>
>Kent
>
>
>
>--- Tom Holbrook <[EMAIL PROTECTED]> wrote:
> > Jenny-
> >
> > My understanding was that you should apply them
> > inbound,
> > so the traffic doesn't have to go through a route
> > lookup
> > process, just to be dropped. Am I missing something
> > here?
> >
> > -Tom
> > At 05:06 PM 6/27/2000 +1000, you wrote:
> >
> >
> > >It depends (well, what did you expect??)
> > >As a general rule, you're better off putting the
> > access list on the outgoing
> > >interface. That way you don't waste bandwidth by
> > transmitting traffic you're
> > >just going to throw away anyway.
> > >BUT, your *first* priority is to make sure the
> > access list does what you want.
> > >To do this, you may need to use an incoming access
> > list instead.
> > >
> > >Example...
> > >
> > >rtrA -------- rtrB
> > >
> > >Let's say you want to prevent telnet traffic from
> > rtrA to rtrB.
> > >Assume for now that the link between the routers is
> > a serial link (int S0 on
> > >both routers).
> > >You could put an outgoing access list on S0 on
> > rtrA:
> > >rtrA:
> > >access-list 101 deny tcp any any eq 23
> > >access-list 101 permit ip any any
> > >int s 0
> > >access-class 101 out
> > >
> > >This will work fine (assuming my syntax is correct
> > which I am making no
> > >guarantees about - I haven't checked it). You
> > could put the same access
> > >list on
> > >rtrB as an incoming access list instead, and it
> > would have the same
> > >effect, but
> > >your telnet traffic would cross the serial link
> > before being dropped -
> > >generally
> > >not very efficient.
> > >
> > >OK, what if it's not a serial link, but an
> > ethernet? Time to throw another
> > >router into the mix...
> > >
> > >rtrA -------- rtrB
> > > |
> > > rtrC
> > >
> > >Now, putting that same outgoing access list on rtrA
> > has a different effect to
> > >putting it as an incoming access list on rtrB. If
> > you put the outgoing access
> > >list on rtrA, you will not be able to telnet from
> > rtrA to rtrB *or to
> > >rtrC*. If
> > >you put it as an incoming access list on rtrB, you
> > will not be able to telnet
> > >from rtrA to rtrB but you will be able to telnet
> > from rtrA to rtrC.
> > >In this case, where should you put the access list?
> > That depends
> > >completely on
> > >what you are trying to achieve with your access
> > list.
> > >
> > >Regardless of where you are putting your access
> > list, try to put the lines
> > >that
> > >will get the most hits near the top (again, make
> > sure you don't change the
> > >meaning of the access list if you change the order
> > of statements). The
> > >lines of
> > >an access list are checked in order, and once a
> > match for a packet is
> > >found, the
> > >rest of the list isn't checked - so if most of your
> > packets match the first
> > >line, rather than the last, your router will spend
> > less time checking access
> > >lists.
> > >
> > >Here endeth the chapter :-)
> > >
> > >JMcL
> > >
> > >---------------------- Forwarded by Jenny
> > Mcleod/NSO/CSDA on 27/06/2000 16:28
> > >---------------------------
> > >
> > >
> > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> > 15:59:31
> > >
> > >Please respond to "K.FUJIWARA"
> > <[EMAIL PROTECTED]>
> > >
> > >
> > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> > >cc: (bcc: JENNY MCLEOD/NSO/CSDA)
> > >Subject: Which access-list increase load the most?
> > >
> > >
> > >
> > >Hi, all.
> > >
> > >Though the null interface is the best solution for
> > load in the ruter
> > >CPU, which
> > >extended / standard access-list is the best to
> > reduce the load?
> > >Extended one's result may be depends on where it
> > will be put or the
> > >case, so where
> > >should it be configured? Destination?
> > >If you have some good examples, please show me.
> > >
> > >And then, do you know good tools or utility to
> > monitor the routers
> > >performance on
> > >CPU or RAM in real time?
> > >
> > >Kazuyo Fujiwara
> > >MCSE/CCNA
> > >Japan Kobe
> > >
> > >
> > >
> > >___________________________________
> > >UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > >FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > >Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >
> > >
> > >
> > >
> > >___________________________________
> > >UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > >FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > >Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
> > Tom Holbrook
> > Network Engineer
> > Earthlink
> >
> > ___________________________________
> > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to
>[EMAIL PROTECTED]
>
>
>__________________________________________________
>Do You Yahoo!?
>Get Yahoo! Mail � Free email you can access from anywhere!
>http://mail.yahoo.com/
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
