[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: IP Filters?
From:       Ken Hardy <ken () bridge ! com>
Date:       1997-07-03 13:19:15
[Download RAW message or body]

"Stackpole, Bill" <BSTACKPO@sla.com> wrote:

>There are some techniques you can use to speed up access list
>processing.  Remember a Cisco list is exited on the first true so you
>can add lines like:
>
>	! TCP or UDP Ports above the last service you are permiting
>	!   this is done to speed up the list processing
>	access-list 101 deny   tcp any host 255.255.255.255 gt 80
>	access-list 101 deny   udp any host 255.255.255.255 gt 19
>
>just before all the specific rules to speed up list processing.

Seems to me that that would speed things up most *if* the most common
packets were those you're denying.  Hopefully people are not
continually banging on your router with prohibited traffic, and most of
the packets it needs to process are those that are specifically
allowed.  In such a case, wouldn't it make more sense to put the rules
that *allow* the most common traffic first?  Just guessing, but you ought
to be able to get 80%-90% or more of all packets to hit within the first
half-dozen or so rules.

--
KH

[prev in list] [next in list] [prev in thread] [next in thread]