Access-Lists (how to order)

controlcontrol Member Posts: 309
On looking through a show access-lists I can see in some ACLs certain lines have been "matched" more than other, e.g some statements will have 200000 matches, where others will have maybe 3000 and so forth. I'm sure I read it's good practice to order the access lists per match number, e.g the ones that are matched most be the the first line, or vice versa. I can't remember what order was correct. Anyone shed some light, provide advice\best practices of what you do?

Thanks

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Rules with the most hits should be at the top so there's less overall processing. With long ACLs, however, you may need to consider prioritization based on hits as well as rule organization (such as all app X rules in the first part, all the rules dealing with remote office users in another part, etc.) for readability purposes. If your ACLs aren't necessary causing much overhead on router performance, then organization might be more important to you.

    Packet filters are generally really fast anyway since they don't track state so they usually don't impact much unless there's a ton of traffic passing through.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.