RE: ACLs vs. full firewalls

["Crooks, Sam" <Sam.Crooks () experian com>]

Beware off using ACL filtering on 6500s with many vlans (100+) and long
acls (hundred+ lines)...

You'll soon find out more than you ever wanted to know about TCAM,
different TCAM types used in various sup's and what the limitations
imposed by TCAM on processing ACLs in hardware... 

Sam Crooks


-----Original Message-----
From: Michael Helmeste [mailto:mhelmest () uvic ca] 
Sent: Tuesday, April 07, 2009 3:06 PM
To: nanog () nanog org
Subject: ACLs vs. full firewalls

Hi all,
  One of the duties of my current place of employ is reorganizing the
network. We have a few Catalyst 6500 series L3 switches, but currently
do all packet filtering (and some routing) using a software based
firewall. Don't ask me, I didn't design it :)

  Current security requirements are only based on TCP and non-stateful
UDP src/dst net/port filtering, and so my suggestion was to use ACLs
applied on the routed interface of each VLAN. There was some talk of
using another software based firewall or a Cisco FWSM card to filter
traffic at the border, mostly for management concerns. We expect full 1
gig traffic levels today, and 10 gig traffic levels in the future.

  I view ACLs as being a cheap, easy to administrate solution that
scales with upgrades to new interface line speeds, where a full stateful
firewall isn't necessary. However, I wanted to get other opinions of
what packet filtering solutions people use in the border and in the
core, and why.

  What's out there, and why do you guys use it? How do you feel about
the scalability, performance, security, and manageability of your
solution? What kind of traffic levels do you put through it?