RE: Load Balancing Across Multiple PIX

[Stanfield Hilman B (Brad) CONT NSSG]

Be VERY careful of sales pitches...
1Gbps cleartext may well be only a few Mbps in a full encryption mode.
Case in point, after much research and many sales pitches, my site settled
on Alcatel TimeStep VPN's to replace older Motorola NES's. Alcatel's pitch
was that their top of the line series could pass a consistent 70Mbps
Encrypted. (With Fast Ethernet input and output, 100Mbps cleartext. As one
of the few devices that were FIPS 140-1 certified at the time, (A
requirement we made from the beginning), we went with them. When we started
in house testing, we found that when configured in FIPS mode, 3DES, SHA1,(As
required by us) they would only pass 6Mbps!!!! When we finally got to talk
to someone that truly had a clue, we were informed that in order to meet
FIPS certification, that all data must pass through a FIPS certified module
on the mainboard. This module was the same one that was used on their lower
speed units, and the throughput was 6Mbps!
But we had failed to ask the proper questions so they had done nothing
wrong.
Needless to say, we are now stuck with equipment that will still improve our
throughput from what it was, but it's no where near what we thought we were
going to get.
Pay very close attention, and do your homework.

************************************************************************
Brad Stanfield CCNA/CCDA
Network/Integration Engineer
[EMAIL PROTECTED]
Government Micro Resources
 Network Operations Control Center
Norfolk Naval Shipyard
Bldg 33 NAVSEA NCOE
757-393-9526
1-800-626-6622




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 16, 2001 3:57 PM
To: '[EMAIL PROTECTED]'; Rossetti, Stan
Subject: Re: Load Balancing Across Multiple PIX 


Stan,

As pointed out by others, your best bet for load-balancing across 
multiple PIX boxes is an external load-balancer ala local-director, 
arrowpoint, foundry, etc.

However, in regards to throughput, Cisco claims 1Gbps cleartext 
throughput on the new PIX 535.  At that speed, its doubtful you 
need load-balancing for most environments.

HTH,
Kent

On 7 Mar 2001, at 10:01, Rossetti, Stan wrote:

> Hello Everyone,
> 
> Does anybody know if it is possible to load balance across multiple
> PIX firewalls?  I have looked at numerous Cisco web pages, but never
> any mention of load balancing.  I have talked to a sales engineer and
> he has said that to get 1GB of throughput from a PIX firewall, you
> need to install 3 PIX firewalls and do load balancing across them. 
> The max throughput from one PIX is 370MBps.  Of course, I can't get
> the sales engineer to return my call now.  Doe anyone know if this is
> true?  Do you have to have 3 PIX to do load balancing?  I would like
> to just do load balancing across 2 PIX firewalls. Is this possible?
> 
> Thanks in advance.
> 
> 
> 
> 
> Thanks
> 
> Stan Rossetti
> 
> 
> NASA - PriSMS
> Advanced Technology Group
> Voice:  (256) 544-5031
> Email:  [EMAIL PROTECTED]
> Beeper:  544-1183 pin 0112
> 
> CCDA, CCNA, CCSE
> 
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]


_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]