Eric Appelboom wrote:
> I am looking at complimenting our FW-1's with switches installed with
> the Cisco IOS firewall feature set.
>
> Does anyone used the IOS firewall in production and can give advice?
>
We have had it in production at a handfull of sites for several years. It has
been generally problem-free.
> Are there any peformance comparisons?
>
I'm not sure how to scale this to a 6500, but we ran IOSFW with CBAC on a 2501
connected to a single T1. The router CPU utilization scaled linearly with T1
utilization, so when the circuit hit 100%, so did the router CPU. It ran that
way for a year or so before we replaced it with a 3640.
I don't think that CBAC itself adds much to the processor load, but because CBAC
works by adding an ACL entry for every TCP/UDP session, the ACL can grow to be
quite long. We had a site decide to teach their students how to port scan. Each
student lit off their own nmap session & pointed it at a remote site. That
created enough ACL entries to overload a 2600.
-- Mike
-----------------------------------------
Michael Janke
Minnesota State Colleges and Universities
--------From real Server 7.0 startup------
Starting RealServer 7.0 Core...
Loading RealServer License Files...
Detecting Number of CPUs...
Testing 1 CPU(s): 1 CPU Detected, Phew...
-----------------------------------------
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
