1 Reply Latest reply: May 5, 2012 4:01 PM by Elvin Arias RSS

    CBAC vs RACL Performances




      It has already been discussed in several posts of this forum what can CBAC and RACL respectivel do and cannot do.

      However something that i've been curious about is their respective memory and cpu cost.

      CBAC memory usage is stated to be aroun 600 bytes per connection but i cannot find that information about RACL.


      This question is derived from another wich is:

      "In a system where we have access to both and where we actually need both (ftp will require CBAC and the possibility of replies comming by multiple interfaces require RACL)... for the traffic that could be controled by both (ex: http with no special limitations)... which one should one prefer?"


      Thank you for your help in the matter.

        • 1. Re: CBAC vs RACL Performances
          Elvin Arias

          CBAC consume more resources by nature. A RACL can't do stateful inspection, but CBAC does enable an internal stateful engine that requires more memory and CPU than normal ACLs. If you have more sessions the router inspecting the traffic will increase the amount of session entries. Cisco's sort of optimized the CBAC entries by creating a hashing-based mechanism in order to internally identify and organized the stateful table. You can certainly limit the amount of sessions or even the amount of the table size.