What is the client suggesting? Sounds like they are
more concerned with the app boxes talking to the
backend (which may be off another interface on the
PIX) You can always suggest that they use Gigports on
the higher end PIXes for those nets...
Here is a question you may want to ask (which no
developer is yet to answer to me) how much traffic
will be there per session and how many sessions do
they expect. Usually even if they give you a high
number in their mind, when you do the per second
bandwidth requirement math it comes out to very low
amounts.
moe.
--- "Evans, TJ" <[EMAIL PROTECTED]> wrote:
> Although I agree on the PIX being able to handle the
> load; other
> considerations may include:
> * The traffic from the DMZ though the PIX to the
> internal servers ...
> depending on how their applications/web servers work
> in conjunction with the
> db servers there could be significant load there
>
> Of course, the counter-point to that is - even with
> the DMZ interface max'ed
> out you are looking at 100mbps ... and 4 T1's max'ed
> out = 6mbps .. so still
> a mx invcoming load of 106mbps, well below the PIX's
> ability.
> <besides - realistically - you will never get the
> full rated capacity of the
> wire anyway :)>
>
>
> Thanks!
> TJ
>
> -----Original Message-----
> From: Groupstudy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 15, 2001 22:47
> To: [EMAIL PROTECTED]
> Subject: Re: PIX Performance
>
> Bottlenecks almost always end up being the smallest
> pipe on a network. In
> your case you have a possible 4 T1's which even when
> all are fully utilized
> will only pass around 6mb of traffic per second.
> Even your darn 10 baseT
> ethernet pipes could handle that. The PIX can
> handle up to 170mb per second
> and won't even blink at 4 fully loaded T1's. I
> suggest you give the client
> the numbers and let them do the math. After they
> have done their own math,
> and if they are still not convinced your right, may
> I suggest you ask them
> why they need your help, they obviously know more
> about the matter at hand
> than you do :-)
>
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, March 15, 2001 6:33 PM
> Subject: PIX Performance
>
>
> > Hello everyone. Here is the situation. A client
> of mine plans on setting
> up
> > some DMZs off either a PIX 515 or 525. Servers
> will consist of smtp
> relay,
> > ftp, 2 to 4 web servers, 2 OWA servers, and 5 to
> 10 web app servers.
> Inside
> > (the internal LAN), there are about 10 servers,
> some database, which dmz
> > servers will need to access. They currently have
> 2 T1s for external
> access
> > to these DMZ based servers (no internally
> initiated web traffic), and do
> not
> > plan to upgrade to more that 4 T1s anytime soon.
> To the point, the client
> > claims that the PIX will be unable to handle all
> the traffic from the
> front
> > end and the access to the back end and that it
> will become a performance
> > bottleneck with an extremely complicated, long
> rule set. My experience
> and
> > opinion tell me that the PIX will do just fine and
> could probably handle a
> > hell of a lot more. It is doing static NAT also
> but not any VPN stuff.
> If
> > anything, with about 6000 remote clients accessing
> certain servers
> throughout
> > the day, the potential bottleneck with be the 2
> T1s or the 2610 router in
> > front of the PIX, not the PIX itself - but he
> won't believe me! I have
> > plenty of performance test results and have
> implemented multiple PIXs and
> > some Check Point Firewalls. Am I missing
> something? How do I convince
> him?
> > Since this may not be perceived as a certification
> issue, you should
> probably
> > answer me directly and not clog up the list.
> Thank-you in advance...
> >
> > David Raker CCDP, CCNP, MCSE, MCP + Internet
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
*****************************************************************************
> The information in this email is confidential and
> may be legally privileged.
> It is intended solely for the addressee. Access to
> this email by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any
> disclosure, copying, distribution
> or any action taken or omitted to be taken in
> reliance on it, is prohibited
> and may be unlawful. When addressed to our clients
> any opinions or advice
> contained in this email are subject to the terms and
> conditions expressed in
> the governing KPMG client engagement letter.
>
>
*****************************************************************************
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
=====
_____________________________________________
Moe Tavakoli
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/?.refer=text
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
