<PUN>
Okay, you're onto it -- Ra - Infinity. Cat's out of the bag now. :-)
</PUN>
Anyway, there should be sorting going on automatically because if the OS
hits a general rule before it hits a more specific rule then the specific
rule will never be utilized. That said, specific rules relating to your
DMZ would be rated equally with specific rules relating to inside, and
since you can't have two rules in one slot, there's going to be some sort
of algorithm for deciding what to do with merged rulesets. More research
is in order, but it's probably a simple numeric evaluation, in which a
route to 10.x.x.x would be given precedence over a route to 172.x.x.x.
--
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Sun, 16 Jul 2000, William J Husler wrote:
> Thanks for the response,
> Sounds like there is some optimization I hadn't thought of here. Should I
> be looking at the usage count and changing the order in which routes are
> added so that the most frequently added routes are added first? or does sun
> go from more specific to more general and sort to break ties or something
> else that would make this effort fruitless. I realized that your are not a
> Sun God (pardon the pun), but I am posting this also to the list in the
> hopes of finding one.
> Bill
>
> > From: Jack Coates <[EMAIL PROTECTED]>
> > Date: Sun, 16 Jul 2000 16:43:40 -0700 (PDT)
> > To: William J Husler <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [FW1] Large number of Static Routes on a Sun box
> >
> >
> > I'm not a Sun guru and they do do some goofy things. But the major
> > differences between a big Sun and a big Cisco here are fast-switching
> > on the Cisco and the firewall policy on the Sun. Those two aside, routing
> > is routing. You go from specific to general and when you hit a matching
> > rule you stop.
> >
> > So I'd look at how many specific rules you have to go through before the
> > majority of your traffic gets processed, both in the routing table and in
> > the policy. You might be able to optimize either or both further.
> >
> > I'd also look at the type of traffic -- few big sessions (FTP) would be
> > sped up by the Cisco because of fast-switching. But lots of small sessions
> > (HTTP) wouldn't benefit by much, IMO.
> >
> > HTH
> > --
> > Jack Coates, Rainfinity SE
> > t: 650-962-5301 m: 650-280-4376
> >
> >
> > On Sun, 16 Jul 2000, William J Husler wrote:
> >
> >>
> >> We have a firewall (FW-1 v4) running on a Sun ES450 that connects numerous
> >> subsidiary networks. As a result of the divergent networks involved (as well
> >> as address translation in some cases), we have add a number of static
> >> network routes (and static host routes) to the firewall. We are currently up
> >> to almost 200 lines in the routing table. This firewall is experiencing
> >> through-put problems (at least everyone is pointing fingers at it) and the
> >> vendor (Sun) tech support has stated that it could be caused by this large
> >> number of static routes. Has anyone else experienced this scenerio or have
> >> experience with a large routing table on a Sun box? One comment I
> >> particularly did not like was "It's not a router you know". Just what do
> >> they think a firewall does anyway?
> >> Bill
> >>
> >>
> >>
> >> =============================================================================
> >> ===
> >> To unsubscribe from this mailing list, please see the instructions at
> >> http://www.checkpoint.com/services/mailing.html
> >> =============================================================================
> >> ===
> >>
> >
> >
> >
> > ==============================================================================
> > ==
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ==============================================================================
> > ==
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
