RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
To: "'Paul Robertson'" <email@example.com> Date: Sat, 3 Jan 2004 18:36:05 -0600
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:firewall-wizards-
> email@example.com] On Behalf Of Paul Robertson
> Sent: Saturday, January 03, 2004 18:23
> To: Wes Noonan
> Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall-
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
> On Sat, 3 Jan 2004, Wes Noonan wrote:
> > One of the problems that we had when I was working for a company that
> > network performance management tools was dealing with this exact issue.
> > Because every packet size is variable in most networks (ATM, etc. are
> > obvious exceptions), the impact that many things have on the performance
> > a network device becomes almost impossible to make a general baseline
> > statement about, much to the chagrin of the sales force. This is so true
> > that Cisco (and most other vendors) typically refer to a set 64K packet
> > in the small print on all of their performance metrics, although this is
> Erm, you mean 64 *byte* don't you?
Err... been writing for about 10 hours today... eyes and brain getting
> It already is, so the processing overhead is incremental, that's why Cisco
> did so much work on access lists and ensuring the switching paths were as
> fast as possible even without things like VIP cards. Seriously- adding
> permits first for the bulk of the traffic will keep the router singing.
> I've had to overcome the "can't put filters on that router" thing for
> production routers way too many times- and every single time, when the
> rules were sane, the router's CPU wasn't even measurably impacted. Am I
> beating a dead horse? Sure! Because it'll make it easier if people
> understand that for most routers, IF you do it right, extended access
> lists won't hurt it- if they do, the router's seriously underconfigured
> anyway- the ACLs won't be the real issue.
Oh, I agree completely. It's been my experience that pretty much any time
ACLs caused a problem on the router it was really just a symptom of another
problem, generally having too small a device trying to perform the role.
I.e. wedging a 1720 to service all routing for a few hundred users is the
problem, if you know what I mean.
> You can produce some general numbers and a traffic profile that's "good
> enoough" to measure with. Traffic like multicast, and traffic *to* the
> router will do more to impact performance than stuff you're passing
> through it, since those are process switched (AFAIR) and that's where the
> real hits come from.
Agreed. The problem comes into the question of what is "good enough". Some
folks are overly anal-retentive on this subject.
firewall-wizards mailing list