"(3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating."
By definition "stateful" inspection requires the firewall to see all the packets...to verify that they are indeed part of an agreed connection etc... So scenario 3 is a nonsense. If you could offload the connection once it was setup (in a sort of MLS style way) - it would no longer be stateful inspection. As the "packet forwarder" is no longer verifying the "state" at all. The 7200 can do stateful inspection (via CBAC / Firewall IOS) but you'd need to give more info about the Processor (NPE), Throughput (inc Pkt sizes, protocols etc) and any other features you have running for a view on whether it would cope. (and that would only be an opinion then) Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: 24 March 2008 19:12 To: Fred Reimer Cc: Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: > Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the "internal" gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the "external" gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the "internal" and "external" LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
