What router functions require heavy CPU usage?

[EnthusiastXYZ]

Routers are becoming more powerful each with their own onboard CPU's, RAM, etc.

Primary inquiry:
What router functions benefit from powerful onboard processing components? I know encryption is one such function because installing SSL certificate (for login) on an old DD-WRT router made Web GUI navigation significantly slower and increased CPU usage. What about VLAN and other isolation functions?

Secondary inquiry:
Does it take more processing power for a router to drop/reject an outbound/inbound/forwarded packet (due to established NAT port rules) or to process it?

 

[Valnar]

Router? Firewall? Which model? Many designs have ASIC's or hardware to process packets so it all depends. Generally management is in software and sometimes routing protocol calculations. Logging. It all depends.

 

[Spartacus09]

Assuming by router you're referring to firewall, in general the most intensive processes are encryption related and generally related to CPU, ram and storage are used very little:

• IPS/IDS function (CPU)
• Logging (CPU, some storage)
• S2S/VPN Access (CPU) ~ however this is generally most intensive on the client side for users accessing.
• Application/packet inspection and filtering (CPU)

Most standard functions such as rule processing, drop/reject and inbound/outbound rules are not very resource intensive unless you have hundreds/thousands of them including the VLAN and standard traffic routing.

 

[daveeversden]

Routers are becoming more powerful each with their own onboard CPU's, RAM, etc.

Primary inquiry:
What router functions benefit from powerful onboard processing components? I know encryption is one such function because installing SSL certificate (for login) on an old DD-WRT router made Web GUI navigation significantly slower and increased CPU usage. What about VLAN and other isolation functions?

Secondary inquiry:
Does it take more processing power for a router to drop/reject an outbound/inbound/forwarded packet (due to established NAT port rules) or to process it?

1.I'm going to assume that by firewall you mean a modern security appliance here.

Accessing the interface over SSL isn't something I would consider a challenge, that sounds a specific issue to an old DD-WRT router.

Things that can be intensive for firewall / security appliances:

VPN
Web Content Filtering
IPS Intrusion Prevention
Inline Malware Scanning
Any other advanced security / inspection/ analytics / SD-WAN etc

Generally the latter ones are the most significant

It's also worth mentioning that most 'routers' route between VLANs less efficiently than a Level 3 switch which will tend to do it at wire-speed due to ASIC use. Something to consider.

2. In normal scenarios, no. General firewall rules are normally the least intensive thing a 'firewall' has to do all day. If traffic reaches abnormal levels this can cause problems though. E.g. DDoS.

 

[Machupo]

It's a good rule of thumb to determine what rules you need / would like and that will generally drive your hardware requirements (e.g. more exposed surface is going to require more monitoring; also, more complex IPS rules are going to require more cycles) -- this is based upon what services you want externally accessible. A simple block all externally-initiated traffic is easy-peasy for hardware.

I am going with something more robust (and admittedly, it's absolute overkill to a ridiculous degree) becuase I want to finely tune suricata, run DPI/proxies/dns blocking/etc, aes256-gcm remote access, and learn other level 3 services. As dave mentioned above, I am also a firm believer in a one in and one out design for my edge devices; switches with dedicated ASICs will give you much better performance for VLANs/etc.