[Dshield] ACL impact on router performance

Lauro, John jlauro at umflint.edu
Sun Feb 22 14:51:18 GMT 2004


Not sure specifically about the CISCO 501 PIX, but generally speaking
with most routers, putting it on the output port is less efficient
then putting in on the incoming port.  Again, this is router/firewall
specific, but generally you should never try to filter on outgoing
interfaces, instead rewrite the filter on incoming interfaces, even if
it means you need more ACLs because you have multiple interfaces.

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf
> Of Guy Barnum
> Sent: Saturday, February 21, 2004 7:09 PM
> To: General DShield Discussion List
> Subject: RE: [Dshield] ACL impact on router performance
> 
> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler at aset.com]
> Sent: Thursday, February 19, 2004 2:25 PM
> To: list at dshield.org
> Subject: [Dshield] ACL impact on router performance
> 
> Does anyone have any hard stats on the impact of ACLs on router
> performance?
> <snip>
> 
> I can tell you personally using a CISCO 501 PIX to stop a port 135
scan
> originating somewhere on my network basically kills my internet
> connection on 1mb broadband.  With that outgoing port blocked it
causes
> so much overhead I can't browse to a web page from any workstation
on
> the network.
> 
> GLB
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list