Re: Cisco 2621 opinions

[Patrick Darden <darden () armc org>]

When I said extensive CBAC lists, I meant lots of ACLs, not use of
extended or reflexive types.  I simply meant that the more ACLs you apply,
the slower your performance would get....  E.g. 5 rule list vs a 500 rule
list.

I certainly don't disagree with anything you say here, but I don't think
you disagree with anything I actually said either.

BTW, the ios qos features work best with slower lines like BRIs.  I would
never use them for fast/ethernet....

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Tue, 16 Jul 2002, Brian Ford wrote:

> Patrick,
>
> I would disagree with your assessment of an "extensive rule set".  The IOS 
> Firewall is completely Stateful for TCP; builds state for UDP connections; 
> offers all the IOS ACLs (Standard, Extended, Reflexive, Dynamic and Time of 
> Day); as well as ICMP filtering.  You have extensive IOS Syslog 
> capabilities.  You have access to all the IOS QOS mechanisms.  If you are 
> reasonable in your use of the state mechanisms you can usually achieve (at 
> least a little) better performance.  So you balance the use of traditional 
> ACLs and IP audit capability.
>
> I've found that 3 Mbps throughput is usually fine considering that's using 
> a router between a T-1 line and an Ethernet network.  No?
>
> If you had multiple serial connections coming in or if this were an 
> Ethernet to Ethernet connection you could look at the 2651 or the 3600s.
>
> Liberty for All,
>
> Brian
>
> At 12:00 PM 7/16/2002 -0400, you wrote:
> > Date: Mon, 15 Jul 2002 11:12:47 -0400 (EDT)
> > From: Patrick Darden <darden () armc org>
> > To: firewall-wizards () nfr net
> > Subject: Re: [fw-wiz] Cisco 2621 opinions
> >
> >
> > Joe,
> >
> > The 2621 series can handle, in fast-switching mode, 25kpps.  If simple
> > packet filtering is in place, half that.  If you are using IPFW IOS then
> > half that.  If you are using extensive rule sets, then half that.
> >
> > Let's say you get about 6kpps.  A standard packet is 64 bytes, so
> > 6000X64==384KBps.  This is equivalent to 3mbps.  Not even ethernet speed.
> > And this is without an extensive rule set.
> >
> > Even with no filtering, max routing in fast-switching mode is about
> > 12mbps.  With CBAC and extensive lists, this could go down to 1.5mpbs.
> >
> > ymmv.
> >
> > --
> > --Patrick Darden                Internetworking Manager
> > --                              706.475.3312    darden () armc org
> > --                              Athens Regional Medical Center

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards