Filters on routers: The price of performance

Setting filters on routers might be mandatory for access control and usage tracking, but suffering a performance hit is strictly optional.

We took six access routers from five vendors and loaded the devices with progressively larger numbers of filters and routes. Routers from ImageStream, Lucent, Riverstone and Tasman didn't break a sweat, delivering essentially the same latency and throughput with hundreds of filters and large routing tables as they did with bare-bones configurations.

At the other end of the spectrum is Cisco's 2651 router. It put up respectable baseline numbers, but performance plummeted once we added filtering. This is hardly a surprise: The 2651 is based on a single CPU and a scant 64M bytes of memory. Although we upgraded the 2651 to its maximum of 128M bytes of RAM, its aging design is no match for other routers in this test. All others use 256M bytes of RAM, and most use custom silicon such as network processors or field-programmable gate arrays to boot.

Cisco declined to participate in this review, saying users are interested in issues other than performance. Given Cisco's dominant market share, we purchased Cisco 2651 routers for inclusion in this review. We also shared our methodology with Cisco, notified the company of our plans, upgraded the routers' memory to be able to complete some tests and, as with all other test participants, informed Cisco of its product's results before publication.

Companies use filters on access routers for all sorts of reasons: To keep unauthorized users or applications out, to track usage of authorized applications and to restrict access to the router. (See Internet Engineering Task Force Guidelines, and "Filtering Dos and Don'ts".)

Getting the numbers

We measured the performance effect of filtering with three metrics: throughput, average latency and maximum latency (see How we did it). To determine routers' ability to recover from failure, we also measured reboot times under load for each device.

Our test setup consisted of a pair of identical routers connected by two T-1 interfaces using crossover cables (see test diagram). The product configurations - routers with two T-1s and two Ethernet interfaces - are arguably the most commonly found devices in any corporation's routing setup.

To determine the performance impact of filtering on this class of device, we began with a baseline case of no filters and no routing, and then added ever-larger numbers of filtering and routing conditions.

In the filtering cases, we asked vendors to configure one router with filters covering multiple conditions: source and destination IP address; protocol number; and TCP or User Datagram Protocol (UDP) port number. We asked vendors to set their last filter as the one we'd use for test traffic, forcing the routers to cycle through their entire filter list. Vendors also enabled logging, so we'd know how many packets "hit" each filter. Tests were run with eight, 16, 64 and 256 unique filters applied.

In the routing test cases, we asked vendors not only to apply various numbers of filters but also to enable two routing protocols - Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF).

We ran through the various numbers of filters with two routing scenarios, dubbed "small tables" and "big tables." In the small-table case, we advertised reachability information for 64 networks each over BGP and OSPF. That's the sort of table size a small or midsize business might run.

In the big-table case, we advertised 125,000 routes using BGP and 4,096 using OSPF. The first number represents the current size of the Internet "full table" - the total number of networks visible in the global Internet. The second number represents about 10% of the size of a Tier-1 ISP's OSPF Area 0 network - the core of any OSPF network.

Holding the full Internet table might seem like a lot to ask of an access router. However, a growing number of corporations use multi-homed connections - BGP connections to different ISPs for redundancy - and their actual table size might be at least twice as large as the one we used.