Re: [c-nsp] External Firewall
The HAR is going to be announced on April Fool's day. My lawyers told me that as long as I didn't reveal anything about the feature set (which I find laughable), that I wasn't breaking the NDA, so don't sweat it. Remember folks, you heard it here first... ---rob Joseph Jackson [EMAIL PROTECTED] writes: What are you talking about then? -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Monday, March 24, 2008 5:03 PM To: Niels Bakker; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall I'm not talking about the ASR... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niels Bakker Sent: Monday, March 24, 2008 5:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall * [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Hi, Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? what BSD OS are you using? What processor, what interface cards are you using? what BUS are those cards on? these are all salient facts. you cannot have a stateful firewall which only inspects the first packet - as each packet needs to be seen - stateful firewalls recognise the stream and therefore throw the packet straight through avoiding any port/type and further rules if the stream was allowed int he first place. your main consideration must surely be, do you want a routed firewall or a 'bump in the wire' firewall. you want a 1gig capable firewall but fear the PC capability? a decent PC will handle 1Gig. if you fear this, then a decent Cisco ASA (which, to all intents and purposes is a PC in a fancy case) can do it. or a Juniper netscreen - which uses a couple of ASICs. if, however, your worry is because of how well the (???)BSD did routing.. which routing package did you use?, then the Cisco has ASICs that do all the hardest routing work which your PC has to do in multiple processor cycles and handle interupts etc too. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. nope. cant think of a way to do that either - you can have 'out of band' network management systems, where the traffic hits the box via it being the LAN gateway, until the machine is authenticated at which point the system gets bumped to a LAN with a standard gateway. I can think of many, some horrible, ways of ensuring that some machines or some protocols to some machines dont need to go through a firewall (routed or bump) bump they are hacks. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] External Firewall
I'm interested in adding a firewall to a network I admin at work. The gateway router on the network is a 7200 NPE-G1. What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 9:55 PM To: Cisco NSPs Subject: [c-nsp] External Firewall I'm interested in adding a firewall to a network I admin at work. The gateway router on the network is a 7200 NPE-G1. What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Why would anybody want to secure their lan from their wan? :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Sridhar Ayengar [EMAIL PROTECTED] Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
because they do not trust their field offices not to install the latest 'screen saver'... [EMAIL PROTECTED] wrote: Why would anybody want to secure their lan from their wan? :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Sridhar Ayengar [EMAIL PROTECTED] Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Why, exactly? Performance of the firewall? Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
So the root question is why a Cisco 7200 router would perform better than a PC running BSD, beefy as that PC may be? Without questioning the merits behind spending time on this I'm not sure what benefit a firewall would provide. Exactly what are you looking for the firewall to do? You wanted to see how it performs with the firewall in various locations. Doing what? Sorry I can't be of more help. I understand what you are trying to find out, but not what a firewall has to do with it. You could possibly put a firewall before and/or after in transparent mode. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Sridhar Ayengar [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2008 3:12 PM To: Fred Reimer Cc: Masood Ahmad Shah; Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Sridhar, The Cisco is faster because it's designed from the ground up to route traffic. Not so with the BSD box. You could probably spend months looking at drivers, tuning the kernel, etc to improve it, but still not match the 7200. It's more than just CPU power. Depending on the platform, you might be able to policy route TCP syn/syn acks to the FW, and once it's established (assuming FW lets it), it can resume through the Cisco only. You're losing the benefit of a stateful firewall at this point though, since the state isn't being monitored anymore. Seems like a couple firewalls with throughput to match your WAN should be enough. If you're willing to lose the stateful firewall capability, a simple packet filtering switch would do, and at line rate. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 3:12 PM To: Fred Reimer Cc: Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Something like that should be possible in the not-too-distant future, though not with the 7200. However, one of the larger ASAs should be able to keep up with the 7200. Or you could go for the new ASR, which should be able to do both tasks at the same time even faster than the 7200. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Hi Sridhar, I'm afraid I haven't understood the significant of the firewall in your performance comparison tests between the cisco router and a BSD PC. Is the BSD PC the firewall you are referring to? Is your main aim to discover the reason why existing performance differs between the cisco and a BSD PC/router, or to test topology difference in two sites (only one of which has a firewall)? Perhaps the cisco outperforms a powerful PC because of the hardware assisted switching. The cisco router will use fast switching methods (e.g. CEF) to reduce the number of lookups and overall processing required by the main CPU. If I understand option (3) correctly, you wish to perform Multilayer Switching between a router and a stateful firewall. One difficulty I see with this is that in order for the firewall to perform stateful inspection, you will need to provide it with the traffic necessary to monitor the state of flows. Shifting a flow over to a path which cuts out the firewall will then deprive it of this information. This will limit its ability to function, for instance the firewall would not be able to detect when ports are negotiated within a session, or when a session ended. Consequently I think the only inspection that you would be able to achieve with that approach would be basic ACL style filtering; which is something you could do on the router in any case. Shifting the firewall so that it is not in the main transit path will also expose the edge router and the infrastructure behind it. Paul. Sridhar Ayengar wrote: Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
(3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. By definition stateful inspection requires the firewall to see all the packets...to verify that they are indeed part of an agreed connection etc... So scenario 3 is a nonsense. If you could offload the connection once it was setup (in a sort of MLS style way) - it would no longer be stateful inspection. As the packet forwarder is no longer verifying the state at all. The 7200 can do stateful inspection (via CBAC / Firewall IOS) but you'd need to give more info about the Processor (NPE), Throughput (inc Pkt sizes, protocols etc) and any other features you have running for a view on whether it would cope. (and that would only be an opinion then) Dean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: 24 March 2008 19:12 To: Fred Reimer Cc: Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Don't be giving out any NDA materials now... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, March 24, 2008 5:07 PM To: 'Sridhar Ayengar' Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Something like that should be possible in the not-too-distant future, though not with the 7200. However, one of the larger ASAs should be able to keep up with the 7200. Or you could go for the new ASR, which should be able to do both tasks at the same time even faster than the 7200. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
* [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
What are you talking about then? -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Monday, March 24, 2008 5:03 PM To: Niels Bakker; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall I'm not talking about the ASR... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niels Bakker Sent: Monday, March 24, 2008 5:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall * [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
