ACL performance of L3 router/switches?

new ones are 3750-E.... - 10G built in

the Ciscos do ACLs in hardware - for some ACL flavours.

Since the logic for hardware ACL is probably in a dedicated chipset, there is always likely to be something that cannot be done in the hardware - so the Q for the manufacturer is whether to let you use only hardware based filters, or let you have flexibility with some performance constraints, or some sort of mix.

Tthe big issue with any switch is likely to be if you are asking for something that gets pushed to software processing.....

the rule of thumb is "higher end boxes do more in hardware" - so for Cisco the assumption is Cat 6500 will do "best" - but that is

1. a chassis
2. optimised for lots of ports
3. expensive
4. loads of options, so you need to understand the box to get the right tradeoffs

same is probably true for lots of other kit you might go for.....

But - your initial choices imply a relatively small box is all you need, so a stackable is good enough.

Personally i would ignore the "futures" bit unless you know you need those aspects in the next 12 to 18 months. Otherwise choosing a new box at the point you need say IPv6 is likely to get you more for less money than trying to future proof a box now.

Can't speak for the others but the HPs you mention do ACLs in hardware.

The hardware supports it, but they haven't gotten around to releasing the software for it.

Anoop

I would move ACL's to an external firewall and let the networking gear forward packets internally. Any (serious) firewall would have more functionality then ACL's in a cisco( not to mention other boxes), just think of statefullness, fragment handling, logging, managability , possibilyties of application.level proxies etc.

Save your money and get as an example one x86box, load with 2-nic's, freebsd, ipfilter and install fwbuilder somewhere. Cost ? hardware for a PC + some hours installing time.

You would get nowhere near 1,000,000 pps with a reasonable number of rules in your set, thus creating a bottleneck for routed traffic. If there is someone asking for performance with his ACLs and is getting "hardware ACL support" as the answer, I would expect numbers in this order of magnitude to be the minimal requirement.

Sounds "easy" - every L3 switch worth its name should do that.

Easy as well - the implementations just have to check for the "TCP SYN" flag to get it working this way. Can be (and is being) done in hardware.

The ATI x900 may fit your bill as well while being less expensive than equally equipped cisco models.

You missed the wholw issue - this is to keep the "nasty outside" away, and that is most likley not in the same volumes as the internal traffic.

And ther is no "switch" that is even close the the security related filetering features of pf ( or ipf or iptables or checkpoint ) Make your homework.

Really? Where exactly does the original posting say *that*?

They might have a limited ruleset, but they *do* filter packets and they work as designed. I cannot see how internal security zoning is not a security feature.

Pardon me?