We are an ISP and I would like to implement ACL to protect our core network (Infrastructure) and implement some filtering on public subnet inside.
As border device we have a cisco WS-C4500X-32 4500x in VSS Cluster.
The peak traffic on downstream is 3Gbps.
I follow the guidelines and I've already define the ACL, just left implement them.
My doubt now is how will be the throughput performance, if it's expected some degradation or the cpu will rise.
Will the device can handle such traffic amount with filtering ?
I don't have the experience to implement ACL on so high throughput device.
[edit.1]
Sample of ACL :
ip access-list extended iACL
permit ip any 8.8.40.0 0.0.7.255
permit ip any 8.8.48.0 0.0.15.255
permit ip any 10.10.0.0 0.0.15.255
permit ip any 9.9.248.0 0.0.3.255
! External IP needing full access to our network
permit ip 7.7.176.0 0.0.31.255 any
permit ip 6.6.32.0 0.0.31.255 any
permit ip 5.5.160.0 0.0.31.255 any
permit ip 4.4.128.0 0.0.31.255 any
deny ip any any
Device : cisco WS-C4500X-32 (MPC8572) processor (revision 4) with 4194304K/20480K bytes of memory.
MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
IOS : cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG (ROM: 15.0(1r)SG6)
Best Answer
The 4500X uses a similar forwarding engine / TCAM to the Catalyst 4500 Supervisor7 (see Cisco Live 2013 BRKARC-3445 page 101 and afterwards for more info); this forwarding engine handles ACLs at 250Mpps as long as you don't punt packets to the CPU. Obviously permit or deny log entries will punt packets to the CPU for logging; however, long ACE port number expansions (such as
permit tcp any any le 1024) also can force ACL CPU processing.Based on your ACL example, you won't have a problem. You can apply these to your high capacity interfaces with no worries... I'm including an informational link to the official docs about How Catalyst4500 ACLs impact CPU