Tuesday, October 9, 2018

Cisco 4500-X: what's more efficient, one ACL applied to lots of interfaces or a separate ACL for each interface?

Cisco 4500-X VSS pair is our internal core/router/gateway and applies a large number of ACLs for internal traffic between our various VLANs. Approx 50 VLANs, a few hundred ACLs in total.

At present I have a fwBuilder-created list of ACLs but am refactoring to something which doesn't require a GUI to maintain. At the moment each VLAN has its own separate ACL for IN and OUT. I'm wondering whether it's more efficient to create one (or just one for IN and one for OUT) to be shared by all VLANs.

That is, right now (in a simplified form):

! OPTION 1 ip access-list extended vlan100_in permit tcp any any established permit icmp any any permit VLAN100-SOURCE-RANGE SOME-COMMON-TARGET ... deny ip any any ip access-list extended vlan200_in permit tcp any any established permit icmp any any permit VLAN200-SOURCE-RANGE SOME-COMMON-TARGET permit VLAN200-SOURCE-RANGE SOME-SPECIAL-TARGET ... deny ip any any int vlan 100 ip access-group vlan100_in in int vlan 200 ip access-group vlan200_in in

But what about, say:

! OPTION 2 ip access-list extended general_in permit tcp any any established permit icmp any any permit VLAN100-SOURCE-RANGE SOME-COMMON-TARGET permit VLAN200-SOURCE-RANGE SOME-COMMON-TARGET permit VLAN200-SOURCE-RANGE SOME-SPECIAL-TARGET ... deny ip any any int vlan 100 ip access-group general_in in int vlan 200 ip access-group general_in in

Obviously the new access lists will be considerably longer, but there will be considerable loss of duplication.

Is one option or the other more efficient? I feel that my new approach might be more maintainable and less error-prone, but the access lists traversed for any particular packet will be much longer than before (because they are checking against lots of rules which only apply to other VLANs, say -- in the example above, all the VLAN200-specific rules do not apply to the VLAN100 traffic).

My IP address scheme is reasonably well organised such that similar VLANs with similar requirements can be consolidated into a single umbrella subnet in some cases, which will help somewhat keep the lists under control.

In short, I'd be willing to sacrifice a small amount of performance in return for maintainability and reliability of keeping the ACLs organised, but not too much. Is what I'm suggesting likely to have a performance hit? This is a live production system and so I can't really test it out beforehand.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)