[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ACLs
Florian Weimer wrote:
"Smith, Donald" <Donald.Smith@qwest.com> writes:
How about 1000 line acl/ less then 10 millisecond impact?? or something like
that.
ACL costs are not proportional to line count. One device can filter
at wirespeed from, say, 30,000 lines of ACLs, to less than 1,000,
depending on the ACL enties. Requiring a minimum of "mutually
independent ACL entries" (which do not depend on processing order)
might be more feasible.
However, where should we draw the boundary? IMHO, 100 is far too low
for practical purposes, but why 500, 1000?
I think, as Dave Newman points out, percentages are the most sensible thing
to say here.
In the end, it's also a choice you have as a purchaser. Even for
GSRs, you can buy a truly ACL-capable OC48 interface right now, but it
has got a certain price tag. If you don't want to filter in the core,
why should pay the additional price?
That's exactly why we have profiles: certian classes of devices (edge) need
high performance filtering of "through" traffic, others (core, small managed
devices) may not.
To me, this whole ACL issue starts to look more and more like
something which requires vendor documentation, but not necessarily
specific implementations.
This document (mostly) a list of functional operator requirements.
Filter performance is, in many situations important, testable and a
requirement.
Documentation of filter performance and the points at and condidtions under
which it will degrade would be nice, but the requirement (where applicable)
is that it *work* without serious performance degretation.
Thanks,
---George Jones
- References:
- RE: ACLs
- From: "Smith, Donald" <Donald.Smith@qwest.com>
- Re: ACLs
- From: Florian Weimer <fw@deneb.enyo.de>