Firewall Wizards mailing list archives

Re: Cisco 2621 opinions

From: Patrick Darden <darden () armc org>
Date: Mon, 15 Jul 2002 11:12:47 -0400 (EDT)


Joe,

The 2621 series can handle, in fast-switching mode, 25kpps.  If simple
packet filtering is in place, half that.  If you are using IPFW IOS then
half that.  If you are using extensive rule sets, then half that.

Let's say you get about 6kpps.  A standard packet is 64 bytes, so
6000X64==384KBps.  This is equivalent to 3mbps.  Not even ethernet speed.
And this is without an extensive rule set.

Even with no filtering, max routing in fast-switching mode is about
12mbps.  With CBAC and extensive lists, this could go down to 1.5mpbs.

ymmv.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Mon, 15 Jul 2002, joe macdonald wrote:

Patrick,

Thanks for the response.

So the 2621 would barf if it had to handle brust
speeds of 100Mbit/s (aggregate) with only a couple
access-list rules (e.g. to deny connections to itself
and a Linux-based firewall)?  What about if it had to
sustain 50-60Mbit/s?

There will be no servers on the other side of it, all
servers will be on the same subnet as the desktop
machines.

Thanks

--- Patrick Darden <darden () armc org> wrote:


The 2600 series is really designed as a border
router for slow bandwidth
connections.  2XT1s is really the most it can
comfortably handle.

IPFWIOS with CBAC is a great cheap firewall
solution--for a small office.
However, it is extremely limited (it does stateful
packet inspection 
for around 70 different protocols), and eats up the
CPU cycles.

Someone mentioned reflexive access lists as a
possibility, and stated that
they are stateful.  They are stateful in a sense,
but they do not keep
track of tcp sequence numbers so they are not
stateful in a security
context. There is a large discussion of IPFWIOS vs.
reflexive access lists
available in the archives.

175 ethernet computers are going to saturate a 2600
very quickly if
anything is on the other side of the router/firewall
(file servers, etc.).

If the only other choice is the PIX, then I heartily
recommend the PIX.
It was designed for high-bandwidth situations.  It
is a great firewall.

A linux or bsd based computer would do a great job
as well, using ipchains
or whatever.  And it would be cheap.

--
--Patrick Darden                Internetworking
Manager             
--                              706.475.3312   
darden () armc org
--                              Athens Regional
Medical Center


On Sat, 13 Jul 2002, joe macdonald wrote:

Hello all,

I have a rather simple question that I would
appreciate feedback on.

I have a network of about 175 computers that I'm
looking to put behind a Cisco 2621 router and also
deploy it as a firewall.  I'm new to the Cisco

world,

so I'm wondering how well these devices work as a
router/firewall and how drastic the learning curve
will be (I have deployed firewalls in the past

using

ipfw, iptables, ipchains on Unix systems). Also,

my

network isn't very big, but is the 2621 a suitable
choice, or would a higher end model be necessary? 
Would a PIX be able to do this job better? (it's

not

exactly a comlpex routing situation, but is the

PIX

strickly a firewall?)

Thanks. Any opinions are greatly appreciated.

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com

http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco 2621 opinions joe macdonald (Jul 13)
- Re: Cisco 2621 opinions John Adams (Jul 13)
  - Re: Cisco 2621 opinions Nick Drage (Jul 15)
    - Re: Cisco 2621 opinions Charles W. Swiger (Jul 15)
    - Re: Cisco 2621 opinions Patrick M. Hausen (Jul 16)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- <Possible follow-ups>
- RE: Cisco 2621 opinions Henry Sieff (Jul 13)
- RE: Cisco 2621 opinions Kent, Ashley (Jul 15)
- RE: Cisco 2621 opinions Brian Ford (Jul 15)
- RE: Cisco 2621 opinions Iannaccone, Al (Jul 15)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- Re: Cisco 2621 opinions Brian Ford (Jul 16)
  - Re: Cisco 2621 opinions Patrick Darden (Jul 16)
  - Re: Cisco 2621 opinions Carson Gaspar (Jul 16)