RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 01/04/04
- Previous message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- In reply to: Paul Robertson: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- Next in thread: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Paul Robertson'" <proberts@patriot.net> Date: Sat, 3 Jan 2004 18:36:05 -0600
inline
Wes Noonan
mailinglists@wjnconsulting.com
http://www.wjnconsulting.com
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Paul Robertson
> Sent: Saturday, January 03, 2004 18:23
> To: Wes Noonan
> Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall-
> wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
>
> On Sat, 3 Jan 2004, Wes Noonan wrote:
>
> > One of the problems that we had when I was working for a company that
> made
> > network performance management tools was dealing with this exact issue.
> > Because every packet size is variable in most networks (ATM, etc. are
> > obvious exceptions), the impact that many things have on the performance
> of
> > a network device becomes almost impossible to make a general baseline
> > statement about, much to the chagrin of the sales force. This is so true
> > that Cisco (and most other vendors) typically refer to a set 64K packet
> size
> > in the small print on all of their performance metrics, although this is
>
> Erm, you mean 64 *byte* don't you?
Err... been writing for about 10 hours today... eyes and brain getting
tired... :-)
> It already is, so the processing overhead is incremental, that's why Cisco
> did so much work on access lists and ensuring the switching paths were as
> fast as possible even without things like VIP cards. Seriously- adding
> permits first for the bulk of the traffic will keep the router singing.
>
> I've had to overcome the "can't put filters on that router" thing for
> production routers way too many times- and every single time, when the
> rules were sane, the router's CPU wasn't even measurably impacted. Am I
> beating a dead horse? Sure! Because it'll make it easier if people
> understand that for most routers, IF you do it right, extended access
> lists won't hurt it- if they do, the router's seriously underconfigured
> anyway- the ACLs won't be the real issue.
Oh, I agree completely. It's been my experience that pretty much any time
ACLs caused a problem on the router it was really just a symptom of another
problem, generally having too small a device trying to perform the role.
I.e. wedging a 1720 to service all routing for a few hundred users is the
problem, if you know what I mean.
> You can produce some general numbers and a traffic profile that's "good
> enoough" to measure with. Traffic like multicast, and traffic *to* the
> router will do more to impact performance than stuff you're passing
> through it, since those are process switched (AFAIR) and that's where the
> real hits come from.
Agreed. The problem comes into the question of what is "good enough". Some
folks are overly anal-retentive on this subject.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- In reply to: Paul Robertson: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- Next in thread: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
