There are two main ways of shortening ACLs and improving their readability or performance. As you know, ACLs can grow to include hundreds of ACEs and cover many pages when printed. So any way of minimizing the number of ACEs present may be welcomed. A shorter ACL will consume less flash memory in the form of the startup configuration, less RAM in the form of the running configuration, and less CPU utilization when a packet is eligible to be analyzed by the ACL.
The first method of shortening an ACL is by using CIDR to combine multiple ACEs into a single statement. This method is useful when combining multiple ACEs specifying networks. For example, if you have two statements in an ACL which allow 10.0.0.0/8 and 11.0.0.0/8 as such:
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 11.0.0.0 0.255.255.255
These two statements can be combined into the single statement 10.0.0.0/7 as such:
access-list 1 permit 10.0.0.0 1.255.255.255
Anyone who has worked with routers and routing protocols will recognize this method as summarization. In a properly designed network, multiple networks can be combined, or summarized, into a smaller number of networks for use in ACLs and other purposes such as routing protocols/routing tables. You ultimately strive to be able to summarize down to one network wherever you can.
The first method of shortening an ACL is by using CIDR to combine multiple ACEs into a single statement. This method is useful when combining multiple ACEs specifying networks. For example, if you have two statements in an ACL which allow 10.0.0.0/8 and 11.0.0.0/8 as such:
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 11.0.0.0 0.255.255.255
These two statements can be combined into the single statement 10.0.0.0/7 as such:
access-list 1 permit 10.0.0.0 1.255.255.255
Anyone who has worked with routers and routing protocols will recognize this method as summarization. In a properly designed network, multiple networks can be combined, or summarized, into a smaller number of networks for use in ACLs and other purposes such as routing protocols/routing tables. You ultimately strive to be able to summarize down to one network wherever you can.
The second method of reducing the size of ACLs falls into the category of what I would call stupid router tricks. It is accomplished by utilizing binary math to combine two statements into one. This method is useful when combining ACEs that specify individual hosts. To use this method, first convert the two host addresses into binary. Second, do a bitwise AND of these two binary numbers. The result of this AND operation will be used and the address of the combined ACE. Next, do a bitwise XOR of the original two binary numbers. This output of this operation will be used as the wildcard mask of the new combined ACE. For example, if an ACL contained the following statements:
access-list 10 deny host 10.20.30.40
access-list 10 deny host 40.30.20.10
The result of this operation would yield
access-list 10 deny 8.20.20.8 34.0.10.34
While this operation results in ACLs whose meaning is not clear, reducing the number of deny or permit statements in half definitely helps in a routers memory, flash, and CPU utilization.
access-list 10 deny host 10.20.30.40
access-list 10 deny host 40.30.20.10
The result of this operation would yield
access-list 10 deny 8.20.20.8 34.0.10.34
While this operation results in ACLs whose meaning is not clear, reducing the number of deny or permit statements in half definitely helps in a routers memory, flash, and CPU utilization.
Would you be interested in a long ACL with dozens of cryptic statements such as the above?