RE: Comparisons between Router ACLs and Firewalls

["Wes Noonan" <mailinglists () wjnconsulting com>]

inline

Wes Noonan
mailinglists () wjnconsulting com
http://www.wjnconsulting.com 

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-
> admin () honor icsalabs com] On Behalf Of Paul Robertson
> Sent: Saturday, January 03, 2004 18:23
> To: Wes Noonan
> Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall-
> wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
>
> On Sat, 3 Jan 2004, Wes Noonan wrote:
>
> > One of the problems that we had when I was working for a company that
> made
> > network performance management tools was dealing with this exact issue.
> > Because every packet size is variable in most networks (ATM, etc. are
> > obvious exceptions), the impact that many things have on the performance
> of
> > a network device becomes almost impossible to make a general baseline
> > statement about, much to the chagrin of the sales force. This is so true
> > that Cisco (and most other vendors) typically refer to a set 64K packet
> size
> > in the small print on all of their performance metrics, although this is
>
> Erm, you mean 64 *byte* don't you?

Err... been writing for about 10 hours today... eyes and brain getting
tired... :-)
 
> It already is, so the processing overhead is incremental, that's why Cisco
> did so much work on access lists and ensuring the switching paths were as
> fast as possible even without things like VIP cards.  Seriously- adding
> permits first for the bulk of the traffic will keep the router singing.
>
> I've had to overcome the "can't put filters on that router" thing for
> production routers way too many times- and every single time, when the
> rules were sane, the router's CPU wasn't even measurably impacted.  Am I
> beating a dead horse?  Sure!  Because it'll make it easier if people
> understand that for most routers, IF you do it right, extended access
> lists won't hurt it- if they do, the router's seriously underconfigured
> anyway- the ACLs won't be the real issue.

Oh, I agree completely. It's been my experience that pretty much any time
ACLs caused a problem on the router it was really just a symptom of another
problem, generally having too small a device trying to perform the role.
I.e. wedging a 1720 to service all routing for a few hundred users is the
problem, if you know what I mean.
 
> You can produce some general numbers and a traffic profile that's "good
> enoough" to measure with.  Traffic like multicast, and traffic *to* the
> router will do more to impact performance than stuff you're passing
> through it, since those are process switched (AFAIR) and that's where the
> real hits come from.

Agreed. The problem comes into the question of what is "good enough". Some
folks are overly anal-retentive on this subject. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards