If you setup your acl to monitor just telnet traffic, then I would not worry about perfornamce drop. If you are going to inspect every(or lots of) tcp/udp packets, then I would.
Remember in cbac, if you apply on external interface, you have to deny everything you want inspected. But if you apply acl on internal interface then permit what you want inspected. Also, icmp can not be inspected thru cbac. -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) CSS1,CCNA,CCDA,SCSA,SCNA,MCT,MCSE,MCP+I,MCP,CNI,MCNE,CNE,CNA Hello Computers "Say Hello to Your Future!" http://www.hellocomputers.com Toll-Free: 1.877.794.3556 International: 1.510.795.6815 Eurpoe: +(44)20 7900 3011 Fax: 1.510.291.2250 -----Original Message----- From: Wright, Jeremy [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 2:14 PM To: 'Keyur Shah'; [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: RE: CBAC Performance Issues [7:23573] well we have a 1000 or so devices and there are a lot of internal telnet sessions going all day...I was thinking about using CBAC on other protocols besides telnet on the internal interfaces and use the extra secutiy features like DOS prevention etc. Was thinking about monitoring telnet and all other connections on the external interfaces. -----Original Message----- From: Keyur Shah [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 4:00 PM To: [EMAIL PROTECTED] Subject: RE: CBAC Performance Issues [7:23573] What kind of traffic are you talking about Jeremy? Few megs or 10s or 100s of mbps? -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) CSS1,CCNA,CCDA,SCSA,SCNA,MCT,MCSE,MCP+I,MCP,CNI,MCNE,CNE,CNA Hello Computers "Say Hello to Your Future!" http://www.hellocomputers.com Toll-Free: 1.877.794.3556 International: 1.510.795.6815 Eurpoe: +(44)20 7900 3011 Fax: 1.510.291.2250 -----Original Message----- From: Wright, Jeremy [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 1:46 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: CBAC Performance Issues What type of network degradation (if any) should I expect if I implement CBAC? I've read CCO but I would like some real world answers. Thanks for any Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23576&t=23573 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]