[c-nsp] NPE G1, CEF and ACLs and high CPU
Łukasz Bromirski
lukasz at bromirski.net
Tue Sep 9 16:39:38 EDT 2008
Kristian Larsson wrote:
> Cisco IOS (without the firewall feature set)
> doesn't really support stateful firewalls, but is
> rather a fixed set of filters applied to packets.
> PIX / ASA does stateful packet inspection and some
> other mumbo jumbo that security people like to
> have. I think that would be the #1 reason of why
> one would choose a PIX over an IOS device.
> I have no clue whether they're actually faster or
> not at filtering packets.
They are. Statefully filtering and inspecting packets requires a lot
of horsepower, and CPUs in ASAs are much beefier than the ones You can
spot on ISRs or 7200. NAT and CBAC/ZBFW are features hitting CPUs
in routers a lot.
--
"Don't expect me to cry for all the | Łukasz Bromirski
reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net
More information about the cisco-nsp
mailing list