Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Sat, 3 Jan 2004 18:36:05 -0600
inline Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards- admin () honor icsalabs com] On Behalf Of Paul Robertson Sent: Saturday, January 03, 2004 18:23 To: Wes Noonan Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall- wizards () honor icsalabs com Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls On Sat, 3 Jan 2004, Wes Noonan wrote:One of the problems that we had when I was working for a company thatmadenetwork performance management tools was dealing with this exact issue. Because every packet size is variable in most networks (ATM, etc. are obvious exceptions), the impact that many things have on the performanceofa network device becomes almost impossible to make a general baseline statement about, much to the chagrin of the sales force. This is so true that Cisco (and most other vendors) typically refer to a set 64K packetsizein the small print on all of their performance metrics, although this isErm, you mean 64 *byte* don't you?
Err... been writing for about 10 hours today... eyes and brain getting tired... :-)
It already is, so the processing overhead is incremental, that's why Cisco did so much work on access lists and ensuring the switching paths were as fast as possible even without things like VIP cards. Seriously- adding permits first for the bulk of the traffic will keep the router singing. I've had to overcome the "can't put filters on that router" thing for production routers way too many times- and every single time, when the rules were sane, the router's CPU wasn't even measurably impacted. Am I beating a dead horse? Sure! Because it'll make it easier if people understand that for most routers, IF you do it right, extended access lists won't hurt it- if they do, the router's seriously underconfigured anyway- the ACLs won't be the real issue.
Oh, I agree completely. It's been my experience that pretty much any time ACLs caused a problem on the router it was really just a symptom of another problem, generally having too small a device trying to perform the role. I.e. wedging a 1720 to service all routing for a few hundred users is the problem, if you know what I mean.
You can produce some general numbers and a traffic profile that's "good enoough" to measure with. Traffic like multicast, and traffic *to* the router will do more to impact performance than stuff you're passing through it, since those are process switched (AFAIR) and that's where the real hits come from.
Agreed. The problem comes into the question of what is "good enough". Some folks are overly anal-retentive on this subject. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Comparisons between Router ACLs and Firewalls sd2mcleo (Jan 01)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)