BEFORE CONTINUING, THIS IS LONG... SORRY
> Date: Sat, 3 Apr 1999 10:39:55 -0800 (PST)
> From: Roger Marquis <[EMAIL PROTECTED]>
> Subject: RE: Throughput
I have left the topic the same because both Roger and Mikes questions are
related, in a fashion.
> Speaking of CPU, does any have a recommendation for a Cisco that is
> capable of routing 30mbps-out and 15mbps-in? I have a 2621 at a site
> doing streaming video however the CPU becomes pegged and packets are
> dropped at anything over ~35mbps (aggregate). This seems odd for a
> router with 2 100base-T ports.
You need to look at what you are filtering, where, why and how. The actual
rate of the interface has nothing to do with the throughput. There are a
few factors that need to be introduced into the mix to sort out what is going
on.
1. Are you filtering in or out
2. What is the packet rate for the router (CPU)
3. Process or Fast switching
4. Average packet size
Here is what how you get the information (relates to headings above:
1. You should know this if you are managing the router. Out bound ACL's are
supposed to be faster.
2. The packet rate for the router can be found online CCO. I can't remember
what the 2600 rates are but the 2500 rates are 6000 and 1000 pps (packets
per second)
3. The two rates in (2) are related to the way you are processing the traffic.
If you are using ACL's you are likely using Process Switching. This limits
a cisco 2500 back to a max of 1000pps. If you are doing plain Jane routing
you will achieve 6000pps with fast switch enabled. (Please note that I
have simplified this a fair bit)
4. Your average packet size determines the total throughput. The BIGGER the
packet, the better the throughput. The smaller the packet, the less you
get through. Research the RMON features, this can actually give you counts
and classifications of packet sizes, very handy stuff for this sort of
mathematics. Otherwise your going to have to guess.
Put it together like this:
Throughput/sec = switchType.pps * packet.size.bits
ie X/sec = 1000 * 512
On ethernet min frame is 512bits, max is 12144bits
With ACL's and smallest packet size the router is capable of 512kbit/sec.
That's quite a bit less than the rated 10Mbit/sec ethernet such as on a
cisco2514.
But wait, there's more. Even with process switching with small packets you
don't get much beyond 3Mb/sec. BTW, if you weren't on a well configured 10Mbit
LAN or didn't require the bandwidth, 3Mb/sec isn't an issue on ethernet anyway.
* The only pps rating that I could find quickly for the 2621 was 25000pps. I
would hazard that that rate is the top end, fast switch rate. When
calculated at worst case rates of 512bit packets that's 12.5 Mbit/s.
> The internal 100base-T port is connected to a 2900 switch and the
> external to another (unknown) switch. There is one route (default), 21
> out-filters on the internal interface, and 7 in-filters on the external
> interface. Nothing unusual in the setup however the CPU is often
Your using ACL's so the pps is going to be down, likely by quite a bit.
> pegged at just 20/255 tx/rxload (per "sh inter"). Cisco engineering
> maintains that the router should be able to hadle the load but it
> can't. The only recommendation they were able to make is to upgrade to
> a 3000 or 4000 series.
I've got 3640's and I'd be in the same situation except I have put the ACL's
on a seperate router that will take the load off the main router. Leaving the
3640 to worry about internal routing and a 2514 to handle any external networks. Most
of the external networks that I'm handling are 128k through 512k links so the
performance of the LAN is not an issue. The 4000 has a
worse rating than the 3600's. Between the models (you've mentioned) the 3640
is top of the list.
> It seems odd that a Nokia running FW-1 has been tested at 98mpbs while
> a 2621 running IOS can't do 1/3rd that.
Hopefully not now...
>> > When using a router (Cisco 7500 series) as a Packet Filtering firewall,
>> > what is the best way to measure actual throughput? With an ACL that is
>> > huge, (over 7 pages when printed out) is there any measurable degradation
>> > of service? I have been told that there are some tools which can perform
>> > offline assessments with regard to the efficiency of placement of the rule
>> > statements, but unfortunatly have not been able to locate said resource.
Mike with the 7500 is in the same boat to a degree, however the technology
options in the 7500 kick-ass on access systems that I spend all my time playing
with.
It sounds like a bit of a job to manage, seven pages of ACL. I'd be
getting concerned about the validity of the entries in the ACL and probably
look at what other options I would have. ie user based firewall authentication,
single entry/exit points through proxy gateways, aggregating statements... KISS, cause
every time you edit that ACL, you're risking getting bit by it.
I went to a site the other day that had a single ACL on their Ethernet Interface,
about 4 pages long. After cleaning out the ACL's for routes that
didn't exist, changing the statements to explicit permit and breaking the ACL's
out to the appropriate interfaces I ended up with, 3/4 of a page for three interfaces
and we could see exactly what was permitted out where. No guessing and simple to
monitor and edit. Then again, you're on probably the biggest,
busiest network in the world with a decent size router plugged into the
backbone and filtering at that point, good luck...
For performance I use baselines I generate and measure traffic differences using tools
such as RMON and SNMP. This gives me a decent view of the world.
As an end note, ACL's are not the only way to change the switching method, there are
some others that come to mind such as tunnelling and queuing.
Good luck and spend some time on CCO. It's all in there, somewhere...
Invite your local friendly cisco rep in for a couple of hours to help out...
Finally:
Sorry about the length of the e-mail, but I think that this is pretty
relevent to this area. Performance of the router component tends to not to
have made a mention here very often over the last couple of years I've been
following this list. We normally comment on the "Firewall" performance and
forget that the firewall is a conglomerate of devices and techniques. Weakest
link is what kills the finished product in the end and that means throughput as
well as security.
---------------------------------------------------------------
Anthony Burow
Communications and Systems Infrastructure
Bechtel, Comalco Alumina Project
Brisbane, Australia.
---------------------------------------------------------------
work: [EMAIL PROTECTED], [EMAIL PROTECTED]
home: [EMAIL PROTECTED]
---------------------------------------------------------------
NOTE: If you've got this tagline then I'm at home.
---------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
