Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Cisco 2621 opinions
From: Brian Ford <brford () cisco com>
Date: Tue, 16 Jul 2002 13:29:15 -0400
Patrick,
I would disagree with your assessment of an "extensive rule set". The IOS Firewall is completely Stateful for TCP; builds state for UDP connections; offers all the IOS ACLs (Standard, Extended, Reflexive, Dynamic and Time of Day); as well as ICMP filtering. You have extensive IOS Syslog capabilities. You have access to all the IOS QOS mechanisms. If you are reasonable in your use of the state mechanisms you can usually achieve (at least a little) better performance. So you balance the use of traditional ACLs and IP audit capability.
I've found that 3 Mbps throughput is usually fine considering that's using a router between a T-1 line and an Ethernet network. No?
If you had multiple serial connections coming in or if this were an Ethernet to Ethernet connection you could look at the 2651 or the 3600s. 

Liberty for All,

Brian

At 12:00 PM 7/16/2002 -0400, you wrote:

Date: Mon, 15 Jul 2002 11:12:47 -0400 (EDT)
From: Patrick Darden <darden () armc org>
To: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Cisco 2621 opinions


Joe,

The 2621 series can handle, in fast-switching mode, 25kpps.  If simple
packet filtering is in place, half that.  If you are using IPFW IOS then
half that.  If you are using extensive rule sets, then half that.

Let's say you get about 6kpps.  A standard packet is 64 bytes, so
6000X64==384KBps.  This is equivalent to 3mbps.  Not even ethernet speed.
And this is without an extensive rule set.

Even with no filtering, max routing in fast-switching mode is about
12mbps.  With CBAC and extensive lists, this could go down to 1.5mpbs.

ymmv.

--
--Patrick Darden                Internetworking Manager
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]