ACLs vs. full firewalls

Justin M. Streiner streiner at
Tue Apr 7 15:44:45 CDT 2009

On Tue, 7 Apr 2009, Michael Helmeste wrote:

>  Current security requirements are only based on TCP and non-stateful
> UDP src/dst net/port filtering, and so my suggestion was to use ACLs
> applied on the routed interface of each VLAN. There was some talk of
> using another software based firewall or a Cisco FWSM card to filter
> traffic at the border, mostly for management concerns. We expect full 1
> gig traffic levels today, and 10 gig traffic levels in the future.

The FWSM can handle 1 Gb/s but not 10.  The connection between the FWSM 
and the backplane is a 6x1 Gig Etherchannel, and the published max 
throughput is about 5.5 Gb/s, but I've never stressed one to more than 
about 35% of that in a production environment.

The only Cisco firewalls that I'm awre of today that are rated to 10 Gb/s 
or more are the ASA 5580-20 and 5580-40, but how suitable they'd be for 
you depends very much on our design goals, including how complex your 
firewall rules and service policies will be.  You might also be able 
to shoe-horn an ASR into this role.  Other considerations include 
functional support for IPv6, long term support strategy/development 
roadmap, whether you need to support VPN traffic directly on your 
firewall, etc...  Cisco seems to be moving away from IPSEC for remote 
access VPNs and pushing people toward SSL.

There are some other interesting offerings from Juniper/Netscreen, Palo 
Alto, and others, unless you're specifically married to Cisco gear.

>  I view ACLs as being a cheap, easy to administrate solution that
> scales with upgrades to new interface line speeds, where a full stateful
> firewall isn't necessary. However, I wanted to get other opinions of
> what packet filtering solutions people use in the border and in the
> core, and why.

ACLs can be used as part of a 'defense in depth' strategy, though if you 
need stateful filtering, their utility might be somewhat limited.  If 
there is traff that you know you don't care about, you can block it with 
an ACL and save the resources on your firewall.  Just remember that those 
same ACLs can complicate your troubleshooting efforts when something does 


More information about the NANOG mailing list