Re: [fw-wiz] Question on Cisco ASA's... do all the features slow it down?
- From: Carson Gaspar <carson@xxxxxxxxxx>
- Date: Wed, 12 Dec 2007 16:29:13 -0800
John G. wrote:
well, i don't understand really what you mean by the packet sizes and
first match vs. last match. i am more a firewall apprentice than
A vendor says "we support 1 Gb/sec"
Packet sizes (with silly numbers):
If you have 128 MB (1 Gb) packets, the firewall has to process 1 packet
If you have 1 B packets, the firewall has to process 1073741824 packets
Assuming per-packet overhead is non-zero, those a _hugely_ different
numbers. Of course in reality the values vary between 64 and 1500 bytes,
not 1 and 134217728 bytes.
Rule sizes (related to the above):
Matching a single "permit any any" rule takes some (minimal) time.
Matching a 10,000 entry rule set where the "permit" entry that matches
your packets is last takes some, possibly greater, amount of time,
especially if the firewall has a naive linear rule application algorithm.
In general, you find that:
- Firewalls have a packet rate limit caused by their per-packet
processing overhead. In some cases this is related to their ruleset
size. In most cases this is related to the number of existing connections.
- Firewalls have a new session rate limit caused by their connection
setup overhead. This is almost always related to their rule set size,
although there are exceptions - Lucent had O(1) (constant time) ACL
processing on some of their routers, thanks to some fun math from their
- Firewalls have a bit-rate limit caused by hardware platform limits,
but these limits are almost _never_ reached in real life.
firewall-wizards mailing list
- Prev by Date: Re: [fw-wiz] OpenBSD pf users?
- Next by Date: [fw-wiz] Anyone have any informed opinions on the watchguard product line?
- Previous by thread: Re: [fw-wiz] Question on Cisco ASA's... do all the features slow it down?
- Next by thread: [fw-wiz] Cisco Pix 515e ERROR: % Invalid input detected at '^' marker