nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: your mail

From: "Alex P. Rudnev" <alex () virgin relcom eu net>
Date: Wed, 20 Oct 1999 14:24:06 +0400 (MSD)

Yes, about _just another etc_...

But I am very sceptical about the PIX, in contra to IOS FW FS, because:

- if you need L3 level firewaii (smart filtering), PIX have not enougph
network capabilities,  and is too expansive. In our (KIAE, not RELCOM)
case, PIX can't work on the trunk (ISL), can't work by the ATM, and so
on...

On the other hand, if wee need next level firewall, it should be context
level firewall, which work as proxy and prevent mail bombs, macro viruses,
.EXE trojans ets. AS I know, PIX can't do it.

And we have not _soft_ firewall features which can protect against the
scattered scanning, simple intrusions etc withouth (almost) complex
configuration and access restriction for the internal users...


Date: Tue, 19 Oct 1999 13:08:49 -0700
From: Glen Shok <gshok () cisco com>
To: Alex P. Rudnev <alex () Relcom EU net>, Robert E. Seastrom <rs () seastrom com>
Cc: Alex "Mr. Worf" Yuriev <alex () netaxs com>,

     Rubens Kuhl Jr. <rkuhljr () uol com br>, nanog () merit edu,
     Stephen Sprunk <ssprunk () cisco com>, rs () valhalla seastrom com

Subject: Re: FW: your mail

Guess I am a little late in replying...

Where do you guys get your rumors about hardware???
Anyway...

The FW feature set on the 7500 is just another layer of protection and shouldn't be compared to the
performance of, say, using a PIX in front of your Internet Connection(s).

Glen

The preceding information is provided by "Glen" and not by "Cisco Systems", blah blah blah...insert legal stuff 
here....


At 03:15 PM 9/27/1999 +0400, Alex P. Rudnev wrote:


Folks, why all you are saying about the Gigabit traffic for the firewall?

Usially, firewall stand between intranet and internet, and it should 
proceed your upstream traffic, not more... And than, it's important to 
measure the throughput in packets/per_second, not in the gigabits...

Everything other is true - I suggess no one good firewall can proceed 
gigabit traffic at all, and only a few specially designed boxes can 
proceed 100Mbit traffic. But just again - it's a rare case when you does 
have 100Mbit upstream link.

Alex.

On 25 Sep 1999, Robert E. Seastrom wrote:


Date: 25 Sep 1999 21:26:59 -0400
From: Robert E. Seastrom <rs () seastrom com>
To: "Alex \"Mr. Worf\" Yuriev" <alex () netaxs com>
Cc: "Rubens Kuhl Jr." <rkuhljr () uol com br>, nanog () merit edu,
    Stephen Sprunk <ssprunk () cisco com>, rs () valhalla seastrom com
Subject: Re: FW: your mail




I have listened to their seminar about this... As the simple L5 firewall
it's not bad, through it realise the fixed set of ruls and defends your
from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of
the customers need...


How would IOS FW perform on Cisco 7x00-class equipment with 100M-to-Gigabit
traffic ?


Umm... Very poorly.


At the low end it's acceptable.  Gigabit traffic sucks on 7500 series
routers even without any kind of filtering.

The 7000-series routers, if they have an SSE, will do standard and
extended access lists in the switch engine.  Now, given the
limitations of CX-FEIP-2TX boards (the only faste boards that will
work in a non-RSP 7000), you are lucky to get 70 mbit/sec through
that.  If you have fddi, you can get most of the way to 100 mbit/sec
one way (the CX-FIP cards, which are the only FDDIs that work in a
7000, won't do full-duplex).

The 7500-series routers, you really want to get a VIP2-50 rather than
a 2-40 or lower if you're going to be doing filtering on the linecard.
You can load the fast ethernets up just fine there.

400 mbit/sec seems to be the upper limit of the currently shipping
generation of gigE cards for the 7500 series.

Hope this helps (and standing by for corrections from the #cisco IRC mafia...)

                                        ---Rob





Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)






-------------------------------------------------------------------------------------------
Glen Shok                               Phone: 1.650.404.3594            
Systems Engineer                       Cell: 1.415.215.7279
NSP Norcal Operation               Pager: 1.800.365.4578

Jack thought it twice, and thought that that that made it true.




Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Previous By Date Next
Previous By Thread Next

Current thread: