[rancid] Re: 2.3.2.a5: Make ACL sorting configurable

Lance Vermilion rancid at gheek.net
Tue Sep 26 05:49:21 UTC 2006


John,

I wish I still had a lab to show you the output of how ordering can affect the ACL. As you probably already know, ACLs work top down and when the line in the ACL that matches first is up front you save x msecs as opposed to the line being the last line in the ACL.

I would say though that it doesn't matter for the vast majority of people what order the lines are in the ACL as long as the permit/deny order doesn't change. The biggest impact of ACL ordering is for the PIX in my opinion because of gig interfaces.

-- 

-Lance <rancid at gheek.net>

On Mon, Sep 25, 2006 at 10:35:58PM -0700, john heasley wrote:
> Mon, Sep 25, 2006 at 10:20:29PM -0700, Lance Vermilion:
> > John,
> > 
> > I don't know how you guys do it at your organization but when you make heavy use of ACLs and they get out of order, that can impact the processor of the router/pix/switch. This is important if you are using these configs to restore from.
> > 
> > Maybe I am misunderstanding the original grip, but I recall the issue being with the ACLs being sorted and them differing from the orignal order that the ACLs were on the router/pix/switch.
> 
> Cool.  Please, show an example to us of one which would be re-ordered in a
> fashion that would change it's result, or performance.  I can't think of
> one, but admittedly do not heavily packet filter and am probably just
> being dense.  Ultimately, I'd prefer a fix that corrected the problem with
> sorting [I'm assuming its not a matter of distaste but of function].





More information about the Rancid-discuss mailing list