Another thing to keep in mind is that IP multicast is particularly bad on the FWSM, because multiple VLANs receiving a single stream will duplicate the multiple copies of identical traffic down the same EtherChannel member -- along with any other unicast or multicast traffic that happens to have the same EtherChannel hash. Something to watch for normal traffic, and definitely something to be concerned about if you have a multicast flood (particularly the innocent unicast victims).
dp -----Original Message----- From: Peter Rathlev <pe...@rathlev.dk> Date: Thu, 2 Jun 2011 14:22:23 -0700 To: Jeff Bacon <ba...@walleyesoftware.com> Cc: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] cat6500/fwsm performance On Thu, 2011-06-02 at 15:09 -0500, Jeff Bacon wrote: > I'm seeing round-trip latencies of approx 250us pushing data through the > FWSM, That latency sounds much like what we're seeing, around 300 us. > and a relatively ridiculously high rate of packet loss. Two things to keep in mind: 1) Any one flow cannot exceed 1 Gb/s, since the connection to the FWSM is a 6 port etherchannel. 2) Traffic that cannot be "fast switched" in the firewall will overload it easily. An iperf UDP session resulted in 30% packet loss @ 300 Mbps here. Fast switched traffic (like regular TCP) is no problem. > This is just with having the firewall in transparent mode, two hosts > on one vlan and two hosts on another VLAN bridged via the FWSM, with > all inspection turned off. > > Are these cards _really_ that bad? Or am I missing something really > dumb and obvious here? I've only ever used routed mode and have no idea if transparent is different performance wise. -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/