RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Wes Noonan (
Date: 01/04/04

  • Next message: Timo Proescholdt: "[fw-wiz] netscreen 25 sofaware ipsec interop"
    To: "'Paul Robertson'" <>
    Date: Sat, 3 Jan 2004 18:36:05 -0600


    Wes Noonan

    > -----Original Message-----
    > From: [mailto:firewall-wizards-
    >] On Behalf Of Paul Robertson
    > Sent: Saturday, January 03, 2004 18:23
    > To: Wes Noonan
    > Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall-
    > Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
    > On Sat, 3 Jan 2004, Wes Noonan wrote:
    > > One of the problems that we had when I was working for a company that
    > made
    > > network performance management tools was dealing with this exact issue.
    > > Because every packet size is variable in most networks (ATM, etc. are
    > > obvious exceptions), the impact that many things have on the performance
    > of
    > > a network device becomes almost impossible to make a general baseline
    > > statement about, much to the chagrin of the sales force. This is so true
    > > that Cisco (and most other vendors) typically refer to a set 64K packet
    > size
    > > in the small print on all of their performance metrics, although this is
    > Erm, you mean 64 *byte* don't you?

    Err... been writing for about 10 hours today... eyes and brain getting
    tired... :-)
    > It already is, so the processing overhead is incremental, that's why Cisco
    > did so much work on access lists and ensuring the switching paths were as
    > fast as possible even without things like VIP cards. Seriously- adding
    > permits first for the bulk of the traffic will keep the router singing.
    > I've had to overcome the "can't put filters on that router" thing for
    > production routers way too many times- and every single time, when the
    > rules were sane, the router's CPU wasn't even measurably impacted. Am I
    > beating a dead horse? Sure! Because it'll make it easier if people
    > understand that for most routers, IF you do it right, extended access
    > lists won't hurt it- if they do, the router's seriously underconfigured
    > anyway- the ACLs won't be the real issue.

    Oh, I agree completely. It's been my experience that pretty much any time
    ACLs caused a problem on the router it was really just a symptom of another
    problem, generally having too small a device trying to perform the role.
    I.e. wedging a 1720 to service all routing for a few hundred users is the
    problem, if you know what I mean.
    > You can produce some general numbers and a traffic profile that's "good
    > enoough" to measure with. Traffic like multicast, and traffic *to* the
    > router will do more to impact performance than stuff you're passing
    > through it, since those are process switched (AFAIR) and that's where the
    > real hits come from.

    Agreed. The problem comes into the question of what is "good enough". Some
    folks are overly anal-retentive on this subject.

    firewall-wizards mailing list

  • Next message: Timo Proescholdt: "[fw-wiz] netscreen 25 sofaware ipsec interop"