Cisco IOS firewall vs PIX 501?

Discussion in 'Cisco' started by Rob, May 6, 2004.

  1. Rob

    Rob Guest

    I know that routers are setup to pass all traffic and deny on a
    filter, while PIX (and most) firewalls block first, then you open from
    there. In either case, that default behavior can be altered with a
    simple ACL.

    That being said, is there any information on the relative performance
    of a router performing as an IOS Firewall vs a PIX? Assume a 2651XM
    router vs low end PIX. Any throughput issues with the IOS router
    doing SPI?

    -Robert
     
    Rob, May 6, 2004
    #1
    1. Advertising

  2. In article <>,
    Rob <> wrote:
    :I know that routers are setup to pass all traffic and deny on a
    :filter, while PIX (and most) firewalls block first, then you open from
    :there. In either case, that default behavior can be altered with a
    :simple ACL.

    The PIX default for outgoing traffic is to permit the traffic.


    :That being said, is there any information on the relative performance
    :eek:f a router performing as an IOS Firewall vs a PIX? Assume a 2651XM
    :router vs low end PIX. Any throughput issues with the IOS router
    :doing SPI?

    Which, if any, VPN module in the 2651XM? With the AIM-VPN/EPII
    the 2656XM is up to 22 Mbps 3DES, which is faster than the PIX 501
    (3 Mbps, no VPN card available); faster than the PIX 506 and 506E
    (10 Mbps 3DES and 17 Mbps 3DES, respectively, no VPN card available);
    faster than the PIX 515 (10 Mbps 3DES, possibly no VPN card available);
    but is the same as the PIX 515E that has no VPN card installed,
    and slower than the 515E with the VAC card installed (63 Mbps 3DES),
    and should be much slower than the 513E with the VAC+ card installed
    (I don't have figures for that combination.)

    You said "low end" PIX, which would tend to imply the 501 or 506E
    (the plain 506 isn't sold anymore). Both of those are less than $US1000,
    whereas a 2651XM VPN Bundle is going to cost a lot more than that.
    --
    IEA408I: GETMAIN cannot provide buffer for WATLIB.
     
    Walter Roberson, May 7, 2004
    #2
    1. Advertising

  3. Rob

    Joce Guest

    Rob wrote:

    > I know that routers are setup to pass all traffic and deny on a
    > filter, while PIX (and most) firewalls block first, then you open from
    > there. In either case, that default behavior can be altered with a
    > simple ACL.
    >
    > That being said, is there any information on the relative performance
    > of a router performing as an IOS Firewall vs a PIX? Assume a 2651XM
    > router vs low end PIX. Any throughput issues with the IOS router
    > doing SPI?
    >
    > -Robert


    Do you need dynamic routing? What is a low end PIX for you? What's your
    budget? How many interfaces you need?

    For the same money, if you want simple SPI and passing traffic from one
    interface to another the PIX will be faster... but it's all depend of what
    you need.
     
    Joce, May 7, 2004
    #3
  4. Rob

    Rob Guest

    Yes, I do need the other functions of an IOS Router. Forget my
    budget, I just want to know if there is a significant performance
    difference doing firewall functions between the two platforms.

    Assume PIX 501 or 506.



    On Fri, 07 May 2004 09:14:22 -0400, Joce <> wrote:

    >Rob wrote:
    >
    >> I know that routers are setup to pass all traffic and deny on a
    >> filter, while PIX (and most) firewalls block first, then you open from
    >> there. In either case, that default behavior can be altered with a
    >> simple ACL.
    >>
    >> That being said, is there any information on the relative performance
    >> of a router performing as an IOS Firewall vs a PIX? Assume a 2651XM
    >> router vs low end PIX. Any throughput issues with the IOS router
    >> doing SPI?
    >>
    >> -Robert

    >
    >Do you need dynamic routing? What is a low end PIX for you? What's your
    >budget? How many interfaces you need?
    >
    >For the same money, if you want simple SPI and passing traffic from one
    >interface to another the PIX will be faster... but it's all depend of what
    >you need.
     
    Rob, May 7, 2004
    #4
  5. In article <>,
    Rob <> wrote:
    :Forget my
    :budget, I just want to know if there is a significant performance
    :difference doing firewall functions between the two platforms.

    :Assume PIX 501 or 506.

    I posted specific figures in the other part of the thread, but you did not
    answer the question as to which, if any, VPN accelarator we should
    assume for the 2651XM.
    --
    Oh, to be a Blobel!
     
    Walter Roberson, May 7, 2004
    #5
  6. Rob

    mikester Guest

    X-No-Archive:yes
    Joce <> wrote in message news:<HYLmc.77660$>...
    > Rob wrote:
    >
    > > I know that routers are setup to pass all traffic and deny on a
    > > filter, while PIX (and most) firewalls block first, then you open from
    > > there. In either case, that default behavior can be altered with a
    > > simple ACL.
    > >
    > > That being said, is there any information on the relative performance
    > > of a router performing as an IOS Firewall vs a PIX? Assume a 2651XM
    > > router vs low end PIX. Any throughput issues with the IOS router
    > > doing SPI?
    > >
    > > -Robert

    >
    > Do you need dynamic routing? What is a low end PIX for you? What's your
    > budget? How many interfaces you need?
    >
    > For the same money, if you want simple SPI and passing traffic from one
    > interface to another the PIX will be faster... but it's all depend of what
    > you need.


    PIX 501 & 506E running 6.3 should support RIP; The 506E and above
    support RIP and OSPF with 6.3.

    Reference; http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#32159
     
    mikester, May 8, 2004
    #6
  7. Program ended abnormally on 06/05/2004 19:22, Due to a catastrophic Walter
    Roberson error:

    > but is the same as the PIX 515E that has no VPN card installed,


    I thought the difference between a 515 and a 515E *was* the VPN card!!!



    --
    Francois Labreque | The surest sign of the existence of extra-
    flabreque | terrestrial intelligence is that they never
    @ | bothered to come down here and visit us!
    videotron.ca | - Calvin
     
    Francois Labreque, May 8, 2004
    #7
  8. In article <gRWmc.78571$>,
    Francois Labreque <> wrote:
    :I thought the difference between a 515 and a 515E *was* the VPN card!!!

    You haven't been reading my postings ;-)

    Extracting from my comparision chart (alas, I haven't gotten around
    to getting this onto a live WWW server again...)

    515/515E:
    - 515 has 200 MHz Intel Pentium CPU
    - 515E has 433 MHz Intel Celeron processor; bus is one 32-bit 33 MHz PCI
    - 515E has 32 or 64 Mb SDRAM; 16 Mb flash
    - 515 initial software release: 4.4(1)
    - 515E initial software release: 5.2(7)
    - failover okay with Unrestricted license; 'write standby' supported
    (note: 515E cannot be used with 515, both must be the same)
    - 515: no support for VAC (or possibly just never sold with VAC)
    - 515E: support for VAC. VAC included in Unrestricted and Failover models.
    - 515E: support for VAC+ (VPN Accelerator Card+)
    - 515: up to 68000 simultaneous connections (4.4(1) - 6.0 timeframe)
    [125000 simultaneous connections according to Cisco's Noble Institute
    case- study; this might have been Unrestricted]
    - 515: maximum 10 Mbps VPN throughput
    [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
    - 515E: 188 Mbps cleartext, 130000 concurrent connections,
    63 Mbps 3DES (VAC) / 140 Mbps 3DES (VAC+), 135 Mbps AES-128 (VAC+),
    140 Mbps AES-256 (VAC+)
    - 515E: Maximum 22 Mbps VPN throughput (without VAC), 63 Mbps VPN (VAC)
    [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
    --
    If a troll and a half can hook a reader and a half in a posting and a half,
    how many readers can six trolls hook in six postings?
     
    Walter Roberson, May 8, 2004
    #8
  9. Rob

    Rob Guest

    Probably the AIM-VPN/BPII, but I didn't know that the VPN accelerator
    affected firewall throughput?



    On 7 May 2004 22:15:29 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Rob <> wrote:
    >:Forget my
    >:budget, I just want to know if there is a significant performance
    >:difference doing firewall functions between the two platforms.
    >
    >:Assume PIX 501 or 506.
    >
    >I posted specific figures in the other part of the thread, but you did not
    >answer the question as to which, if any, VPN accelarator we should
    >assume for the 2651XM.
     
    Rob, May 9, 2004
    #9
  10. Rob

    Rob Guest

    Any idea on the concurrent connection limitation or throughput "hit"
    of using IOS Firewall? The PIX's list those numbers, as you kindly
    posted below, but I can't find the same for IOS.

    How about using IDS in the config as well? Does it all become
    process-switched, or can it still be Fast/CEF switched with those
    options??





    On 8 May 2004 03:16:49 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <gRWmc.78571$>,
    >Francois Labreque <> wrote:
    >:I thought the difference between a 515 and a 515E *was* the VPN card!!!
    >
    >You haven't been reading my postings ;-)
    >
    >Extracting from my comparision chart (alas, I haven't gotten around
    >to getting this onto a live WWW server again...)
    >
    >515/515E:
    >- 515 has 200 MHz Intel Pentium CPU
    >- 515E has 433 MHz Intel Celeron processor; bus is one 32-bit 33 MHz PCI
    >- 515E has 32 or 64 Mb SDRAM; 16 Mb flash
    >- 515 initial software release: 4.4(1)
    >- 515E initial software release: 5.2(7)
    >- failover okay with Unrestricted license; 'write standby' supported
    > (note: 515E cannot be used with 515, both must be the same)
    >- 515: no support for VAC (or possibly just never sold with VAC)
    >- 515E: support for VAC. VAC included in Unrestricted and Failover models.
    >- 515E: support for VAC+ (VPN Accelerator Card+)
    >- 515: up to 68000 simultaneous connections (4.4(1) - 6.0 timeframe)
    > [125000 simultaneous connections according to Cisco's Noble Institute
    > case- study; this might have been Unrestricted]
    >- 515: maximum 10 Mbps VPN throughput
    > [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
    >- 515E: 188 Mbps cleartext, 130000 concurrent connections,
    > 63 Mbps 3DES (VAC) / 140 Mbps 3DES (VAC+), 135 Mbps AES-128 (VAC+),
    > 140 Mbps AES-256 (VAC+)
    >- 515E: Maximum 22 Mbps VPN throughput (without VAC), 63 Mbps VPN (VAC)
    > [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
     
    Rob, May 9, 2004
    #10
  11. In article <>,
    Rob <> wrote:
    :Any idea on the concurrent connection limitation or throughput "hit"
    :eek:f using IOS Firewall? The PIX's list those numbers, as you kindly
    :posted below, but I can't find the same for IOS.

    Sorry, I had missed before that you were looking for the speeds
    using the firewalling features. The figures I posted were for VPN tunnels.

    On the PIX, it is assumed that you will have a number of "fixup"s
    turned on; I've never seen it discussed that some of the fixups might
    slow down processing. I never thought about it.


    :How about using IDS in the config as well? Does it all become
    :process-switched, or can it still be Fast/CEF switched with those
    :eek:ptions??

    http://www.cisco.com/en/US/netsol/n...olutions_design_guidance09186a00801cf9fc.html

    Cisco IOS Software-based IDS Solution
    [...]
    As a result, the router's CPU has to process the traffic that needs to
    be inspected as well as the action taken to the malicious traffic.
    These processes can be very CPU intensive depending on the traffic
    being monitored. As a result, the router's CPU utilization can become
    very high and the overall performance of the router may be affected.
    [...]
    IDS Network Module Solution
    [...]
    The disadvantage to this solution is that there is a performance
    impact by using this solution. The IDS Network Module frees the
    router's CPU from performing packet inspection processing. However,
    the IDS Network Module does place some additional load on the
    router's CPU to copy packets from the router's backplane to the
    module's internal FE interface.
    [...]
    The forwarding of packets to the IDS Network Module is implemented in
    the CEF switching path of Cisco IOS Software.


    http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/iosnt_qp.htm

    Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?

    A. The NAT session limit is bounded by the amount of available DRAM
    in the router. Each NAT translation consumes about 160 bytes in
    DRAM. As a result, 10,000 translations (more than would generally
    be handled on a single router) would consume about 1.6MB.
    Therefore, a typical routing platform has more than enough memory
    to support thousands of NAT translations.

    Q. What kind of routing performance can I expect when I use Cisco
    IOS NAT?

    A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching,
    Fast-switching and of course Process switching.

    Performance depends on a number of factors `type of application and
    it's type of traffic-is it embedding IP Addresses, do multiple
    messages get exchanged that need to be inspected, does it require a
    specific Source Port or negotiate one, number of translations, what
    else is running on the box at the time, and of course the type of
    platform and processor.

    For most applications, degradation of performance due to NAT should
    be negligible.


    In 12.2:

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

    Describes how CBAC works, and says

    CBAC works with fast switching and process switching.


    But earlier, in 12.0:

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a0080087476.html

    CBAC supports four switching modes: Cisco Express Forwarding
    (CEF), flow switching, fast switching, and process switching.


    And the description of SDM (Security Device Manager)
    http://www.cisco.com/en/US/products...user_guide_chapter09186a00801eb26f.html#60623

    says that the SDM will enable CEF whenever possible, but also says
    it will enable CBAC whenever possible.


    CBAC normally inspects only TCP and UDP packets (and ICMP?), so it seems to
    me that CBAC could be enabled at the same time as CEF -- with the CEF
    routing applying only to those flows that CBAC determines to be
    "uninteresting". UDP could -perhaps- be CEF routed, if there is an
    internal mechanism to time-out the inserted temporary ACL when it
    stops being used. But the CBAC description does say that TCP sequence
    numbers are examined at each point, and that would seem to me to be
    incompatable with CEF.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
     
    Walter Roberson, May 9, 2004
    #11
  12. Rob

    Rob Guest

    Thanks for the reply.



    On 9 May 2004 15:10:54 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Rob <> wrote:
    >:Any idea on the concurrent connection limitation or throughput "hit"
    >:eek:f using IOS Firewall? The PIX's list those numbers, as you kindly
    >:posted below, but I can't find the same for IOS.
    >
    >Sorry, I had missed before that you were looking for the speeds
    >using the firewalling features. The figures I posted were for VPN tunnels.
    >
    >On the PIX, it is assumed that you will have a number of "fixup"s
    >turned on; I've never seen it discussed that some of the fixups might
    >slow down processing. I never thought about it.
    >
    >
    >:How about using IDS in the config as well? Does it all become
    >:process-switched, or can it still be Fast/CEF switched with those
    >:eek:ptions??
    >
    >http://www.cisco.com/en/US/netsol/n...olutions_design_guidance09186a00801cf9fc.html
    >
    > Cisco IOS Software-based IDS Solution
    >[...]
    > As a result, the router's CPU has to process the traffic that needs to
    > be inspected as well as the action taken to the malicious traffic.
    > These processes can be very CPU intensive depending on the traffic
    > being monitored. As a result, the router's CPU utilization can become
    > very high and the overall performance of the router may be affected.
    >[...]
    > IDS Network Module Solution
    >[...]
    > The disadvantage to this solution is that there is a performance
    > impact by using this solution. The IDS Network Module frees the
    > router's CPU from performing packet inspection processing. However,
    > the IDS Network Module does place some additional load on the
    > router's CPU to copy packets from the router's backplane to the
    > module's internal FE interface.
    >[...]
    > The forwarding of packets to the IDS Network Module is implemented in
    > the CEF switching path of Cisco IOS Software.
    >
    >
    >http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/iosnt_qp.htm
    >
    > Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?
    >
    > A. The NAT session limit is bounded by the amount of available DRAM
    > in the router. Each NAT translation consumes about 160 bytes in
    > DRAM. As a result, 10,000 translations (more than would generally
    > be handled on a single router) would consume about 1.6MB.
    > Therefore, a typical routing platform has more than enough memory
    > to support thousands of NAT translations.
    >
    > Q. What kind of routing performance can I expect when I use Cisco
    > IOS NAT?
    >
    > A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching,
    > Fast-switching and of course Process switching.
    >
    > Performance depends on a number of factors `type of application and
    > it's type of traffic-is it embedding IP Addresses, do multiple
    > messages get exchanged that need to be inspected, does it require a
    > specific Source Port or negotiate one, number of translations, what
    > else is running on the box at the time, and of course the type of
    > platform and processor.
    >
    > For most applications, degradation of performance due to NAT should
    > be negligible.
    >
    >
    >In 12.2:
    >
    >http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm
    >
    >Describes how CBAC works, and says
    >
    > CBAC works with fast switching and process switching.
    >
    >
    >But earlier, in 12.0:
    >
    >http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a0080087476.html
    >
    > CBAC supports four switching modes: Cisco Express Forwarding
    > (CEF), flow switching, fast switching, and process switching.
    >
    >
    >And the description of SDM (Security Device Manager)
    >http://www.cisco.com/en/US/products...user_guide_chapter09186a00801eb26f.html#60623
    >
    >says that the SDM will enable CEF whenever possible, but also says
    >it will enable CBAC whenever possible.
    >
    >
    >CBAC normally inspects only TCP and UDP packets (and ICMP?), so it seems to
    >me that CBAC could be enabled at the same time as CEF -- with the CEF
    >routing applying only to those flows that CBAC determines to be
    >"uninteresting". UDP could -perhaps- be CEF routed, if there is an
    >internal mechanism to time-out the inserted temporary ACL when it
    >stops being used. But the CBAC description does say that TCP sequence
    >numbers are examined at each point, and that would seem to me to be
    >incompatable with CEF.
     
    Rob, May 9, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    770
    Andre
    Feb 20, 2005
  2. Merv
    Replies:
    3
    Views:
    695
    Walter Roberson
    Feb 24, 2006
  3. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    674
    Walter Roberson
    May 20, 2006
  4. Tim Zoetebier

    Cisco PIX 501 Firewall

    Tim Zoetebier, Sep 3, 2006, in forum: Cisco
    Replies:
    5
    Views:
    5,071
    James
    Sep 11, 2006
  5. Mike Rahl
    Replies:
    1
    Views:
    1,294
    Trendkill
    May 30, 2007
Loading...

Share This Page