I have approximately 2 million hits a day on web pages behind a pair of PIX 515's in failover and send out a little more than a million subscription (not spam) email's every night and the only issue I have is that the available 1550 (Ethernet) blocks drops to zero at times during the 3 or 4 hours in the middle of the night that I'm shoving out all of that email. We even run some small animated Flash things on some pages however I don't serve any streaming media. I do have FTP services that serve from 1500-2000 users anywhere from 10 to 100MB each daily. Now the FTP users are pulling packages of graphics though, not 700MB ISO CD images. During the day, when the lion's share of the web activity occurs, I never notice any of the PIX's resources taxed to anywhere close to a point I consider worrisome. The boxes I have to keep an eye on are my 3640 routers. That's where I see the meters pegging, mostly in the mornings when people check their morning emails. I used to have QoS running on them for certain traffic I wanted to restrict bandwidth on but that absolutley choked the CPU's in the AM. Never seen a router CPU run at 100% use and stay there until then. Had to remove it. Like Charles said, a single user will open many connections one web page hit but each individual connection not open too long. The PIX just keeps on chuggin' right along. Now I run no encryption on that pair and have tunnels in from the outside coming in thru another PIX that processes no web traffic. These 2 boxes are simple firewalls. I would like to upgrade to at least 525's (not to mention a beefier router) or just a REALLY beefy router running firewall IOS but, alas, it's not in the budget this year so I chug right along with my 515's doing exactly what I need them to. If you're not running really big flash animations, streaming media or some other big bandwidth hog type of traffic, you don't have a bunch of secure tunnels built or your 2 million users don't all hit within a 2 hour time frame I really doubt you'll have any issues with a 515 or bigger box but I would personally recommend bigger than a 515 with the idea in mind of a liitle room for your business to grow and not max'ing out the box in 6 months or a year. Our traffic has only seen modest growth over the last 2 years or so. I believe we still have quite a bit more we can squeeze out of the PIX's before we have no choice but to upgrade.
That's my experience anyway. Don't know how closely your requirements match mine though. Hope this helps. Mark Quoting Charles Riley : > I believe that if you check the Cisco website or > documentation, you will see > that it defines a session as a single TCP or UDP > connection. If somehow you > had 2M users, yet their total number of sessions never > exceeded 500K, then > your firewall could handle 2M users. I am not > addressing performance at all > here. > > Realistically, though, your users are going to have > any number of sessions > established as they read their email, check the web, > download files, and so > on. It's possible that your 500K PIX firewall could > only be able to handle > about 5K or 50K of your users if they are the kind of > users to keep hundreds > or thousands of sessions going at once. > > HTH, > > Charles > > > ""Kenan Ahmed Siddiqi"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello groupies, > > I was reading the PIX book and it apparently said > that the no. of > connection > > supported by a PIX firewall (higher order) is > 500,000. Does this mean that > > upto 500,000 sessions can be established or > something else? If so, what do > I > > do if I have a thoroughput of say 2 million users? > Thanks in adv. > > > > Cheers, > > > > Kenan > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62587&t=62575 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
