I have listened to their seminar about this... As the simple L5 firewall it's not bad, through it realise the fixed set of ruls and defends your from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of the customers need...
How would IOS FW perform on Cisco 7x00-class equipment with 100M-to-Gigabit traffic ?
Umm... Very poorly.
At the low end it's acceptable. Gigabit traffic sucks on 7500 series routers even without any kind of filtering. The 7000-series routers, if they have an SSE, will do standard and extended access lists in the switch engine. Now, given the limitations of CX-FEIP-2TX boards (the only faste boards that will work in a non-RSP 7000), you are lucky to get 70 mbit/sec through that. If you have fddi, you can get most of the way to 100 mbit/sec one way (the CX-FIP cards, which are the only FDDIs that work in a 7000, won't do full-duplex). The 7500-series routers, you really want to get a VIP2-50 rather than a 2-40 or lower if you're going to be doing filtering on the linecard. You can load the fast ethernets up just fine there. 400 mbit/sec seems to be the upper limit of the currently shipping generation of gigE cards for the 7500 series. Hope this helps (and standing by for corrections from the #cisco IRC mafia...) ---Rob
On 25 Sep 1999, Robert E. Seastrom wrote:
400 mbit/sec seems to be the upper limit of the currently shipping generation of gigE cards for the 7500 series.
<scratching head> 400 mbit != 1 gigabit I guess the marketing department wins again.... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell "This is our time. It will not come again." \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
On Sat, 25 Sep 1999, Patrick Greenwell wrote: Robert E. Seastrom wrote: RS> 400 mbit/sec seems to be the upper limit of the currently shipping RS> generation of gigE cards for the 7500 series. PG> <scratching head> PG> 400 mbit != 1 gigabit PG> I guess the marketing department wins again.... Calculate the VIP2 PCI bus bandwidth on a 7500. All this means in this context is that this implementation is interoperable with other GIG-E implementations (for some definition of implementation, see CLNS large MTU and jumbo frame issues). The card is limited by the PCI bus. It is still a gig-E board, it just can't go wirespeed. /vijay
Folks, why all you are saying about the Gigabit traffic for the firewall? Usially, firewall stand between intranet and internet, and it should proceed your upstream traffic, not more... And than, it's important to measure the throughput in packets/per_second, not in the gigabits... Everything other is true - I suggess no one good firewall can proceed gigabit traffic at all, and only a few specially designed boxes can proceed 100Mbit traffic. But just again - it's a rare case when you does have 100Mbit upstream link. Alex. On 25 Sep 1999, Robert E. Seastrom wrote:
Date: 25 Sep 1999 21:26:59 -0400 From: Robert E. Seastrom <rs@seastrom.com> To: "Alex \"Mr. Worf\" Yuriev" <alex@netaxs.com> Cc: "Rubens Kuhl Jr." <rkuhljr@uol.com.br>, nanog@merit.edu, Stephen Sprunk <ssprunk@cisco.com>, rs@valhalla.seastrom.com Subject: Re: FW: your mail
I have listened to their seminar about this... As the simple L5 firewall it's not bad, through it realise the fixed set of ruls and defends your from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of the customers need...
How would IOS FW perform on Cisco 7x00-class equipment with 100M-to-Gigabit traffic ?
Umm... Very poorly.
At the low end it's acceptable. Gigabit traffic sucks on 7500 series routers even without any kind of filtering.
The 7000-series routers, if they have an SSE, will do standard and extended access lists in the switch engine. Now, given the limitations of CX-FEIP-2TX boards (the only faste boards that will work in a non-RSP 7000), you are lucky to get 70 mbit/sec through that. If you have fddi, you can get most of the way to 100 mbit/sec one way (the CX-FIP cards, which are the only FDDIs that work in a 7000, won't do full-duplex).
The 7500-series routers, you really want to get a VIP2-50 rather than a 2-40 or lower if you're going to be doing filtering on the linecard. You can load the fast ethernets up just fine there.
400 mbit/sec seems to be the upper limit of the currently shipping generation of gigE cards for the 7500 series.
Hope this helps (and standing by for corrections from the #cisco IRC mafia...)
---Rob
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Alex Rudnev observed,
Folks, why all you are saying about the Gigabit traffic for the firewall?
Usially, firewall stand between intranet and internet, and it should proceed your upstream traffic, not more... And than, it's important to measure the throughput in packets/per_second, not in the gigabits...
Everything other is true - I suggess no one good firewall can proceed gigabit traffic at all, and only a few specially designed boxes can proceed 100Mbit traffic. But just again - it's a rare case when you does have 100Mbit upstream link.
All good points. Something else to consider: with increasing cryptographic security requirements, the "firewall" (ambiguous term as it is, but let's think of it as a stateful packet screen -- the major approach at high speed) is not the only device between you and the outside. It's worth thinking of: Bastion hosts -- not trusted with crypto keys Security gateways -- trusted to do encryption IPsec gateways SSL/TLS proxies Conduits with access lists -- for host-to-host encryption, where the firewall wouldn't add value There is also the very murky area where logging and intrusion detection mix, and whether they can operate at these speeds/
Perfectly... On Mon, 27 Sep 1999, Howard C. Berkowitz wrote:
Date: Mon, 27 Sep 1999 08:27:27 -0400 From: Howard C. Berkowitz <hcb@clark.net> To: nanog@merit.edu Subject: "firewalls" at high speed -- was Re: FW: your mail
...
All good points. Something else to consider: with increasing cryptographic security requirements, the "firewall" (ambiguous term as it is, but let's think of it as a stateful packet screen -- the major approach at high speed) is not the only device between you and the outside. It's worth thinking of:
Bastion hosts -- not trusted with crypto keys Security gateways -- trusted to do encryption IPsec gateways SSL/TLS proxies Conduits with access lists -- for host-to-host encryption, where the firewall wouldn't add value
There is also the very murky area where logging and intrusion detection mix, and whether they can operate at these speeds/
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (5)
-
Alex P. Rudnev
-
Howard C. Berkowitz
-
Patrick Greenwell
-
rs@seastrom.com
-
Vijay Gill