Although I agree on the PIX being able to handle the load; other
considerations may include:
* The traffic from the DMZ though the PIX to the internal servers ...
depending on how their applications/web servers work in conjunction with the
db servers there could be significant load there
Of course, the counter-point to that is - even with the DMZ interface max'ed
out you are looking at 100mbps ... and 4 T1's max'ed out = 6mbps .. so still
a mx invcoming load of 106mbps, well below the PIX's ability.
<besides - realistically - you will never get the full rated capacity of the
wire anyway :)>
Thanks!
TJ
-----Original Message-----
From: Groupstudy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 15, 2001 22:47
To: [EMAIL PROTECTED]
Subject: Re: PIX Performance
Bottlenecks almost always end up being the smallest pipe on a network. In
your case you have a possible 4 T1's which even when all are fully utilized
will only pass around 6mb of traffic per second. Even your darn 10 baseT
ethernet pipes could handle that. The PIX can handle up to 170mb per second
and won't even blink at 4 fully loaded T1's. I suggest you give the client
the numbers and let them do the math. After they have done their own math,
and if they are still not convinced your right, may I suggest you ask them
why they need your help, they obviously know more about the matter at hand
than you do :-)
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 15, 2001 6:33 PM
Subject: PIX Performance
> Hello everyone. Here is the situation. A client of mine plans on setting
up
> some DMZs off either a PIX 515 or 525. Servers will consist of smtp
relay,
> ftp, 2 to 4 web servers, 2 OWA servers, and 5 to 10 web app servers.
Inside
> (the internal LAN), there are about 10 servers, some database, which dmz
> servers will need to access. They currently have 2 T1s for external
access
> to these DMZ based servers (no internally initiated web traffic), and do
not
> plan to upgrade to more that 4 T1s anytime soon. To the point, the client
> claims that the PIX will be unable to handle all the traffic from the
front
> end and the access to the back end and that it will become a performance
> bottleneck with an extremely complicated, long rule set. My experience
and
> opinion tell me that the PIX will do just fine and could probably handle a
> hell of a lot more. It is doing static NAT also but not any VPN stuff.
If
> anything, with about 6000 remote clients accessing certain servers
throughout
> the day, the potential bottleneck with be the 2 T1s or the 2610 router in
> front of the PIX, not the PIX itself - but he won't believe me! I have
> plenty of performance test results and have implemented multiple PIXs and
> some Check Point Firewalls. Am I missing something? How do I convince
him?
> Since this may not be perceived as a certification issue, you should
probably
> answer me directly and not clog up the list. Thank-you in advance...
>
> David Raker CCDP, CCNP, MCSE, MCP + Internet
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
