Ray Hunter ECD <RHUNTER%ESOC .
BITNET @
vm .
gmd .
de> writes:
# David Conran asks: is a Cisco 3101 suitable as a Firewall?
#
# Personal experience (confirmed by other notes I've seen on the net)
# tells me that setting *any* access list slows down routing considerably.
# (due to disabling of fast-switching.) However, the *length* of the
# access list does not affect performance that much more.
# The typical performance hit I've seen quoted is in the range of 20-30%
The key question is: does this 20-30% hit matter to your application?
If you're talking about ether-to-ether (or faster, like FDDI or T-3),
and expect heavy loads, then it probably does matter.
However, most firewalls are bottlenecked by a 56 kb/s or 1.544 mb/s
(T-1) leased line connection; even if it takes a 20-30% performance
hit because of packet filtering, I think a Cisco 3000-series router is
still fast enough to drive a 56 kb/s or 1.544 mb/s line at full rated
speed.
-Brent
--
Brent Chapman | Great Circle Associates | Call or email for info about
Brent @
GreatCircle .
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates
|
|
