RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
From: Bill James (bubbagates_at_comcast.net)
To: "'Marcus J. Ranum'" <firstname.lastname@example.org>, "'David Pick'" <email@example.com> Date: Sat, 3 Jan 2004 17:53:22 -0500
> -----Original Message-----
> From: Marcus J. Ranum [mailto:firstname.lastname@example.org]
> Sent: Saturday, January 03, 2004 5:42 PM
> To: Bill James; 'David Pick'
> Cc: email@example.com
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
> Bill James wrote:
> >The problem with using ACL's is the load they can add to a
> router. Most
> >of Cisco's newer IOS' have IP Inspection and do OK but can add a
> >tremendous load on the router.
> I've never found any good studies of ACL performance. Do you
> have any references you can point us to?
this is based on experience over the years and having clients wanting to
run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb
ram and a high volume link...On this particular site NAT is running,
there are about 20 full-time PPTP users passing through to a MS server
and approx. 15 permits in the ACL's with the customary deny all at the
On a typical day this router runs at 50 to 75 percent processor...(I
know....I have explained to the customer the need to upgrade the router)
I have even seen 2621's and 3600's get overloaded but the traffic was
very high at the time...virus's were mainly the cause in all cases
In any case I have seen with a PIX or IPTables, traffic did slow during
virus and DDOS attacks but traffic still got through
I wish I had some good studies for the sake of argument
The objective of all dedicated employees should be to thoroughly analyze
all situations, anticipate all problems prior to their occurrence, have
answers for these problems, and move swiftly to solve these problems
when called upon.
However, When you are up to your ass in alligators it is difficult to
remind yourself your initial objective was to drain the swamp.
firewall-wizards mailing list