Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: "Mark Gumennik" <mgumennik () mitre org>
Date: Mon, 5 Jan 2004 12:14:00 -0500
I have done some experiments with the router's ACL's I applied several different types (sic!) of ACLs with the number of lines from 20 to 500. Then I was banging it (the router) with different packets generated by SmartBits. I have tested 2 mid-size routers on 10 MBps and 100 MBps interfaces. The result was quit strange: On the ACLs based on "permit all" statement at the end: Almost independent of the length of the ACLs I have seen the routers starting packet drop at 20% of the interface speed (18 - 22 %) depending on the length) Keep in mind that the traffic was the same all the time, close to the real thing. On the ACLs based on "deny all" statement at the end: - much more dependant on the length of ACL and positioning of certain statements within the ACL. The packet drop started @ 40-50% of the line speed Mark G PS I'll be out to sea for a week -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Marcus J. Ranum Sent: Saturday, January 03, 2004 5:42 PM To: Bill James; 'David Pick' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls Bill James wrote:
The problem with using ACL's is the load they can add to a router. Most of Cisco's newer IOS' have IP Inspection and do OK but can add a tremendous load on the router.
I've never found any good studies of ACL performance. Do you have any references you can point us to? mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Comparisons between Router ACLs and Firewalls, (continued)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)