David Conran asks: is a Cisco 3101 suitable as a Firewall?
Personal experience (confirmed by other notes I've seen on the net)
tells me that setting *any* access list slows down routing considerably.
(due to disabling of fast-switching.) However, the *length* of the
access list does not affect performance that much more.
The typical performance hit I've seen quoted is in the range of 20-30%
IP accounting has a similar effect, in that it causes all packets to be
process switched.
I think the answer is 'your mileage will vary.' If you have any doubt
at all then I recommend going for the 4000, which I suspect will have a
longer product lifetime. (again only rumours.... but look what happened
to the 2000, and there's a new 2500 which must make the 3000 look a bit
under-powered.) Our firewall will be based on 4000s.
One feature to look at is in the 9.21(2) release notes, which says that
it is now possible to use an "Inbound access list. You can now apply access
lists on inbound interfaces" (for IP)
This comes untested, but may significantly simplify your lists; as noted
in several previous postings to this list comparing e.g Network Systems
& Cisco.
my 0.02DM worth (which is getting less all the time ;-)
Ich wunsche euch frohe Feiertagen!
rhunter @
esoc .
esa .
de rhunter @
esoc .
bitnet
______________________RHUNTER @
ESOC .
BITNET________________________
Ray Hunter: Cray Systems on contract to the European Space Agency
Tel. +49 6151 902953 FAX.+49 6151 902908
Room B107, ESOC, Robert Bosch Strasse 5, 64293 DARMSTADT, Germany
|
|
