David asked me an interesting question:
Can you comment on the performance differences between zone-based firewalls and the classic Content-Based Access Control (CBAC) IOS firewall? I’m running into issues where the router is running VoIP and CBAC, and call quality issues are appearing during heavy data usage.
I never did performance tests with one or the other, but I wouldn’t expect the zone-based firewall (ZFW) performance to exceed CBAC. They use the same (or at least very similar) code, ZFW is primarily a different method of configuring the same functionality.
Does anyone have different experience? It looks like Colin McNamara disagrees with me, but the document with performance data I found at Cisco’s web site does not list different figures for CBAC and ZFW (and they would surely make them public if the ZFW would be way better than CBAC).