Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: Paul Robertson <proberts () patriot net>
Date: Sat, 3 Jan 2004 19:22:57 -0500 (EST)
On Sat, 3 Jan 2004, Wes Noonan wrote:
One of the problems that we had when I was working for a company that made network performance management tools was dealing with this exact issue. Because every packet size is variable in most networks (ATM, etc. are obvious exceptions), the impact that many things have on the performance of a network device becomes almost impossible to make a general baseline statement about, much to the chagrin of the sales force. This is so true that Cisco (and most other vendors) typically refer to a set 64K packet size in the small print on all of their performance metrics, although this is
Erm, you mean 64 *byte* don't you?
obviously an impossible number to achieve in the real world.
The idea thing would be to get some averages from the real world, call that a good metric and do some testing. Some traffic is worse than others though, so it's good to put some performance suckers in there (multicast on Cisco anyone?)
The obvious performance impact on a router with ACLs has to do with the fact that every packet now must be processed by the router before it can be forwarded. This also requires the router to be able to queue and buffer the
It already is, so the processing overhead is incremental, that's why Cisco did so much work on access lists and ensuring the switching paths were as fast as possible even without things like VIP cards. Seriously- adding permits first for the bulk of the traffic will keep the router singing. I've had to overcome the "can't put filters on that router" thing for production routers way too many times- and every single time, when the rules were sane, the router's CPU wasn't even measurably impacted. Am I beating a dead horse? Sure! Because it'll make it easier if people understand that for most routers, IF you do it right, extended access lists won't hurt it- if they do, the router's seriously underconfigured anyway- the ACLs won't be the real issue.
packet during processing. I seriously doubt that anyone could produce numbers more accurate than "In my environment, generally speaking" or "in an absolutely controlled environment, this is what we saw". I agree with Paul
You can produce some general numbers and a traffic profile that's "good enoough" to measure with. Traffic like multicast, and traffic *to* the router will do more to impact performance than stuff you're passing through it, since those are process switched (AFAIR) and that's where the real hits come from.
here though that the when you start trying to do things to the router itself you can really see the performance impact some of these other things have. I can't count how many routers I have seen reboot when trying to show the running config because the router was under too much stress for whatever reason (often times BGP routers that are skimpy on RAM).
Yep, I've mandated extended access lists on every border router I've ever seen, even those carrying full routes and significant traffic, and never had a problem, but I've seen lots of problems with underconfigured routers. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Comparisons between Router ACLs and Firewalls sd2mcleo (Jan 01)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)