Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: "Bill James" <bubbagates () comcast net>
Date: Sat, 3 Jan 2004 17:53:22 -0500
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com] Sent: Saturday, January 03, 2004 5:42 PM To: Bill James; 'David Pick' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls Bill James wrote:The problem with using ACL's is the load they can add to arouter. Mostof Cisco's newer IOS' have IP Inspection and do OK but can add a tremendous load on the router.I've never found any good studies of ACL performance. Do you have any references you can point us to? mjr.
this is based on experience over the years and having clients wanting to run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb ram and a high volume link...On this particular site NAT is running, there are about 20 full-time PPTP users passing through to a MS server and approx. 15 permits in the ACL's with the customary deny all at the end On a typical day this router runs at 50 to 75 percent processor...(I know....I have explained to the customer the need to upgrade the router) I have even seen 2621's and 3600's get overloaded but the traffic was very high at the time...virus's were mainly the cause in all cases In any case I have seen with a PIX or IPTables, traffic did slow during virus and DDOS attacks but traffic still got through I wish I had some good studies for the sake of argument Bill James The objective of all dedicated employees should be to thoroughly analyze all situations, anticipate all problems prior to their occurrence, have answers for these problems, and move swiftly to solve these problems when called upon. However, When you are up to your ass in alligators it is difficult to remind yourself your initial objective was to drain the swamp. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Comparisons between Router ACLs and Firewalls sd2mcleo (Jan 01)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)