RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Bill James (
Date: 01/03/04

  • Next message: Paul Robertson: "Re: [fw-wiz] port 27015"
    To: "'Marcus J. Ranum'" <>, "'David Pick'" <>
    Date: Sat, 3 Jan 2004 17:53:22 -0500

    > -----Original Message-----
    > From: Marcus J. Ranum []
    > Sent: Saturday, January 03, 2004 5:42 PM
    > To: Bill James; 'David Pick'
    > Cc:
    > Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
    > Bill James wrote:
    > >The problem with using ACL's is the load they can add to a
    > router. Most
    > >of Cisco's newer IOS' have IP Inspection and do OK but can add a
    > >tremendous load on the router.
    > I've never found any good studies of ACL performance. Do you
    > have any references you can point us to?
    > mjr.

    this is based on experience over the years and having clients wanting to
    run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb
    ram and a high volume link...On this particular site NAT is running,
    there are about 20 full-time PPTP users passing through to a MS server
    and approx. 15 permits in the ACL's with the customary deny all at the

    On a typical day this router runs at 50 to 75 percent processor...(I
    know....I have explained to the customer the need to upgrade the router)

    I have even seen 2621's and 3600's get overloaded but the traffic was
    very high at the time...virus's were mainly the cause in all cases

    In any case I have seen with a PIX or IPTables, traffic did slow during
    virus and DDOS attacks but traffic still got through

    I wish I had some good studies for the sake of argument

    Bill James

    The objective of all dedicated employees should be to thoroughly analyze
    all situations, anticipate all problems prior to their occurrence, have
    answers for these problems, and move swiftly to solve these problems
    when called upon.

    However, When you are up to your ass in alligators it is difficult to
    remind yourself your initial objective was to drain the swamp.

    firewall-wizards mailing list

  • Next message: Paul Robertson: "Re: [fw-wiz] port 27015"