Avaya P580 Switch User Manual


 
9-38 Avaya P550R, P580, P880, and P882 Multiservice Switch User Guide, v5.3.1
Chapter
not a firewall! The following are some criteria for designing safe,
efficient ACLs and how they affect performance:
Specify Destination Address: The wildcard feature of rule
creation is a convenience but can explode the number of
identified Flows. Since the “standard” ACL implies “any” for
the destination, it should also be used with care. It is
desirable for the wildcard to match a specific set of addresses.
Use Protocols/Ports Carefully: By pushing the ACL-to-
packet matching up one or two levels of the IP stack, it
refines the granularity of the Flows to be very specific in
what is matched. A source-port range can cause a large
number of “micro” Flows to be created.
Minimize Rules: The number of rules has a direct impact on
the CPU effort to match rules to Flows. This is especially true
when there is a high frequency of packets that are “walked
down” the entire list and don’t match any rules.
Minimize Searching: The goal is to place the most
frequently matched rules toward the beginning of the ACL.
This requires a good knowledge of traffic patterns. This can
be noticeable as ACLs get longer.
Permit Management Traffic with High Priority: This
include routing updates (unicast for RIP 1, multicast for RIP
2), SNMP (CajunView, HPOV), LDAP (for Cajun Rules/Avaya
Policy Manager). Not doing this can cause loss of
management connectivity.