FW: your mail

Robert E. Seastrom rs at seastrom.com
Sun Sep 26 01:26:59 UTC 1999


> > > I have listened to their seminar about this... As the simple L5 firewall
> > > it's not bad, through it realise the fixed set of ruls and defends your
> > > from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of
> > > the customers need...
> > 
> > How would IOS FW perform on Cisco 7x00-class equipment with 100M-to-Gigabit
> > traffic ?
> 
> Umm... Very poorly.

At the low end it's acceptable.  Gigabit traffic sucks on 7500 series
routers even without any kind of filtering.

The 7000-series routers, if they have an SSE, will do standard and
extended access lists in the switch engine.  Now, given the
limitations of CX-FEIP-2TX boards (the only faste boards that will
work in a non-RSP 7000), you are lucky to get 70 mbit/sec through
that.  If you have fddi, you can get most of the way to 100 mbit/sec
one way (the CX-FIP cards, which are the only FDDIs that work in a
7000, won't do full-duplex).

The 7500-series routers, you really want to get a VIP2-50 rather than
a 2-40 or lower if you're going to be doing filtering on the linecard.
You can load the fast ethernets up just fine there.

400 mbit/sec seems to be the upper limit of the currently shipping
generation of gigE cards for the 7500 series.

Hope this helps (and standing by for corrections from the #cisco IRC mafia...)

                                        ---Rob





More information about the NANOG mailing list