Yes, its true but you must isolate 2 concepts here. PIX doesnt run IOS, it uses a software called pix software (yes, cisco has a lot of art naming devices). All pixes mid to high range(515E, 525 and 535) are intel pentium based and in standard configuration they do the encryption in the main cpu. Now they made (cisco) a new VAC (VPN accelerator card) that the routers / switches+routers (like 6500's) and pixes uses to do the encryption via hardware (those chips are not intel based). So, PIX uses main x86 proccessors to do the encryption job if there isnt any VAC installed, in this case all the encryption proccess are passed to the VAC. It works in the same way in some routers not all. I hope it helps. -----Mensaje original----- De: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] En nombre de Daniel Chemko Enviado el: Viernes, 04 de Junio de 2004 13:40 Para: Aldo Lagana; Brett Simpson; netfilter@xxxxxxxxxxxxxxxxxxx Asunto: RE: Poll on large sites that deploy Iptables. Aldo Lagana wrote: > First off - like AOL, IBM, etc - all use high-end probably cisco > routers which do their firewalling - one cannot get the packet per > second throughput they need without dedicated ASIC-based > router/firewalls... Correct me if I'm wrong, but aren't (at least mid-sized) CISCO firewalls based on X86's down to the PCI bus and Pentium derived processors? Even Mid-grade routers are supplying VPN accelerator chips, but I think the firewall code itself is stored in flash, executed like any other programs. I doubt IOS uses a lot of hardware acceleration beyond the CPU. Although I really don't know much since I haven't done much work on them. An example: (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_it em09186a0080091b17.shtml) Even the 535's only use PIII 1ghz
