Um, okay. Really quickly...
I just had this throughput thing come up for a local client.
Cisco tell me that the pps rates are:
2621: Process - 1500 Fast 15000
3640: Process - 4000 Fast 40000
I'm actually still looking for a raw PPS measurement for the PIX, but the
blurb says something like 170Mb aggregate and points at some testing
results.
Their suggestion was (of course) that if you want a heap faster than either
of those you'd be better with a PIX or a Cat 5500 with the route switch
module. The Cat 5500's throughput is in the millions of pps, so wire speed
for all intents and purposes.
I don't know if you're doing context based stuff with your existing router
though - I don't think the 5500 supports IOS / Firewall feature set.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, April 07, 1999 12:02 AM
To: [EMAIL PROTECTED]
Subject: Re: Throughput
BEFORE CONTINUING, THIS IS LONG... SORRY
> Date: Sat, 3 Apr 1999 10:39:55 -0800 (PST)
> From: Roger Marquis <[EMAIL PROTECTED]>
> Subject: RE: Throughput
I have left the topic the same because both Roger and Mikes
questions are
related, in a fashion.
> Speaking of CPU, does any have a recommendation for a Cisco that
is
> capable of routing 30mbps-out and 15mbps-in? I have a 2621 at a
site
> doing streaming video however the CPU becomes pegged and packets
are
> dropped at anything over ~35mbps (aggregate). This seems odd for
a
> router with 2 100base-T ports.
You need to look at what you are filtering, where, why and how. The
actual
rate of the interface has nothing to do with the throughput. There
are a
few factors that need to be introduced into the mix to sort out what
is going
on.
1. Are you filtering in or out
2. What is the packet rate for the router (CPU)
3. Process or Fast switching
4. Average packet size
Here is what how you get the information (relates to headings above:
1. You should know this if you are managing the router. Out bound
ACL's are
supposed to be faster.
2. The packet rate for the router can be found online CCO. I can't
remember
what the 2600 rates are but the 2500 rates are 6000 and 1000 pps
(packets
per second)
3. The two rates in (2) are related to the way you are processing
the traffic.
If you are using ACL's you are likely using Process Switching.
This limits
a cisco 2500 back to a max of 1000pps. If you are doing plain
Jane routing
you will achieve 6000pps with fast switch enabled. (Please note
that I
have simplified this a fair bit)
4. Your average packet size determines the total throughput. The
BIGGER the
packet, the better the throughput. The smaller the packet, the
less you
get through. Research the RMON features, this can actually give
you counts
and classifications of packet sizes, very handy stuff for this
sort of
mathematics. Otherwise your going to have to guess.
Put it together like this:
Throughput/sec = switchType.pps * packet.size.bits
ie X/sec = 1000 * 512
On ethernet min frame is 512bits, max is 12144bits
With ACL's and smallest packet size the router is capable of
512kbit/sec.
That's quite a bit less than the rated 10Mbit/sec ethernet such as
on a
cisco2514.
But wait, there's more. Even with process switching with small
packets you
don't get much beyond 3Mb/sec. BTW, if you weren't on a well
configured 10Mbit
LAN or didn't require the bandwidth, 3Mb/sec isn't an issue on
ethernet anyway.
* The only pps rating that I could find quickly for the 2621 was
25000pps. I
would hazard that that rate is the top end, fast switch rate.
When
calculated at worst case rates of 512bit packets that's 12.5
Mbit/s.
> The internal 100base-T port is connected to a 2900 switch and the
> external to another (unknown) switch. There is one route
(default), 21
> out-filters on the internal interface, and 7 in-filters on the
external
> interface. Nothing unusual in the setup however the CPU is often
Your using ACL's so the pps is going to be down, likely by quite a
bit.
> pegged at just 20/255 tx/rxload (per "sh inter"). Cisco
engineering
> maintains that the router should be able to hadle the load but it
> can't. The only recommendation they were able to make is to
upgrade to
> a 3000 or 4000 series.
I've got 3640's and I'd be in the same situation except I have put
the ACL's
on a seperate router that will take the load off the main router.
Leaving the
3640 to worry about internal routing and a 2514 to handle any
external networks. Most of the external networks that I'm handling are 128k
through 512k links so the performance of the LAN is not an issue. The 4000
has a
worse rating than the 3600's. Between the models (you've mentioned)
the 3640
is top of the list.
> It seems odd that a Nokia running FW-1 has been tested at 98mpbs
while
> a 2621 running IOS can't do 1/3rd that.
Hopefully not now...
>> > When using a router (Cisco 7500 series) as a Packet Filtering
firewall,
>> > what is the best way to measure actual throughput? With an ACL
that is
>> > huge, (over 7 pages when printed out) is there any measurable
degradation
>> > of service? I have been told that there are some tools which
can perform
>> > offline assessments with regard to the efficiency of placement
of the rule
>> > statements, but unfortunatly have not been able to locate said
resource.
Mike with the 7500 is in the same boat to a degree, however the
technology
options in the 7500 kick-ass on access systems that I spend all my
time playing
with.
It sounds like a bit of a job to manage, seven pages of ACL. I'd be
getting concerned about the validity of the entries in the ACL and
probably
look at what other options I would have. ie user based firewall
authentication,
single entry/exit points through proxy gateways, aggregating
statements... KISS, cause every time you edit that ACL, you're risking
getting bit by it.
I went to a site the other day that had a single ACL on their
Ethernet Interface, about 4 pages long. After cleaning out the ACL's for
routes that
didn't exist, changing the statements to explicit permit and
breaking the ACL's
out to the appropriate interfaces I ended up with, 3/4 of a page for
three interfaces and we could see exactly what was permitted out where. No
guessing and simple to monitor and edit. Then again, you're on probably the
biggest,
busiest network in the world with a decent size router plugged into
the
backbone and filtering at that point, good luck...
For performance I use baselines I generate and measure traffic
differences using tools such as RMON and SNMP. This gives me a decent view
of the world.
As an end note, ACL's are not the only way to change the switching
method, there are some others that come to mind such as tunnelling and
queuing.
Good luck and spend some time on CCO. It's all in there,
somewhere...
Invite your local friendly cisco rep in for a couple of hours to
help out...
Finally:
Sorry about the length of the e-mail, but I think that this is
pretty
relevent to this area. Performance of the router component tends to
not to
have made a mention here very often over the last couple of years
I've been
following this list. We normally comment on the "Firewall"
performance and
forget that the firewall is a conglomerate of devices and
techniques. Weakest
link is what kills the finished product in the end and that means
throughput as
well as security.
---------------------------------------------------------------
Anthony Burow
Communications and Systems Infrastructure
Bechtel, Comalco Alumina Project
Brisbane, Australia.
---------------------------------------------------------------
work: [EMAIL PROTECTED], [EMAIL PROTECTED]
home: [EMAIL PROTECTED]
---------------------------------------------------------------
NOTE: If you've got this tagline then I'm at home.
---------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
