Speaker
Mr
Andrey Bobyshev
(FERMILAB)
Description
An ACL (access control list) is one of a few tools that network administrators
are often using to limit access to various network objects, e.g. restrict access
to the certain network areas for specific traffic patterns. The ACLs are also used
to control forwarding traffic, e.g. for implementing so-called policy based routing.
Nowadays demand is to do update of ACLs dynamically by programmable tools with as low
latency as possible. At Fermilab we have about 4 years experience in the area of
dynamic reconfiguring network infrastructure. However, dynamic updates are also
introduce significant challenge for performance of networking devices. This article
will introduce the results of our research and practical experience in dynamic
configuring of network infrastructure by using various types of ACLs. The questions
that we will try to answer are what is maximum size of ACL, how frequently it can be
downloaded without impact on router's CPU utilization and forwarding capabilities,
updating of active vs passive ACL, updates of multiple ACLs.