The testing I did was specific to the scenario where I was having problems. That scenario involves a pair of 535's fronting a high traffic news web site. I took all kinds of samples and averaged the packet size distribution (web traffic=pretty small) so when I was working with Cisco we were able to have the smartbits generate streams simulating the same type traffic we were seeing in production.
The findings were that the 535 will begin to show problems at around 400mbs. This can be slightly improved if you make sure to limit logging levels etc.. Another key thing to note is that we tested with 5.3.1 and 5.3.2 DO NOT USE 5.3.1 with a 535. There are many problems with that code and high traffic. When doing a "show block" you can see this by noticing that the size 16384 block will be at zero with any significant amount of traffic. Do a clear block and then show block...and you will see it will go right back down to zero. The 16384 block corresponds to the PIX-1GE-66 (66mhz)cards...and 5.3.2 allocates more resources for those cards. Another thing to note....5.3.2 will still run out of blocks if you are running stateful. I have since turned that off...this was just prior to 9-11-01 and the site did rather well under a tremendous load of traffic. I could go on...but to sum it up -the 535 is like any firewall..performance is impacted directly by packet size -5.3.2 was what cisco recommended after this testing with 6.2 waiting to be released. -535 will hold it's own at 300+ mbs of web traffic. - the closer you get to 400mbs..the scarier it gets. hope this helps, ms ms --- Liz wrote: > I would like to know about the 535's also curious if > you have worked with > the 525's at all. We just got two to replace some > old 510's. > Thanks, > Liz > ""matt shiite"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I don't know too much about the Nokia boxes, but > have > > done quite a bit of work on Pix's. I witnessed > the > > 515 fail at between 20-30 mbs (a documented bug). > I > > found that to be very lame. Also, did quite a bit > of > > testing with cisco on the PIX 535. If anyone > cares to > > see when that thing fails....let me know. You > might > > be suprised :) > > > > > > ms > > > > > > --- Eric wrote: > > > The Checkpoint/Nokia 330 runs IPSO as the OS on > > > hardened freeBSD. These will > > > actually run routing protocols too, i.e.., RIP, > > > OSPF, IGRP, etc.... Nice GUI > > > too...They do dominate their market segment. > > > > > > Eric > > > > > > ----- Original Message ----- > > > From: "Chuck Larrieu" > > > To: > > > Sent: Monday, December 31, 2001 1:50 PM > > > Subject: OT - Firewall performance Comparisons - > is > > > it quitting time > > > [7:30576] > > > > > > > > > > I sure love slow days like today. I've > discovered > > > a whole new section on > > > the > > > > company intranet - a group that does > performance > > > and acceptability testing > > > > for vendor equipment which we sell. > > > > > > > > So I'm looking over the firewall report - > Cisco > > > 515 versus several other > > > > things. > > > > > > > > I have never seen or heard this before, but > > > according to this doc, > > > > Checkpoint on a Nokia 330 box outperformed the > PIX > > > 515 substantially. by > > > > about 20% in terms of throughput. I have > always > > > heard that PIX outperforms > > > > Checkpoint by a large margin. Maybe that was > when > > > compared to Checkpoint > > > on > > > > a Windoze box? > > > > > > > > Interesting to see in the results was that the > > > Cisco 1601 with IP firewall > > > > feature set outperformed the Cisco 2610 by a > > > decent ( but not > > > overwhelming ) > > > > margin. The PIX 515 looks to be about 50% > faster > > > than the 1601 and twice > > > as > > > > fast as the 2610. > > > > > > > > The PIX 515 was about twice as fast, in terms > of > > > throughput, than the > > > $500 > > > > Netscreen 5XP ( low end ) firewall > > > > > > > > Granted, the testbed was limited in that there > > > were just a few stations on > > > > the inside trying to get to just a few > stations on > > > the outside. Traffic > > > > simulation was used for different types of > traffic > > > ( http, ftp, etc ) > > > > Granted there are other issues, such as > > > scalability. > > > > > > > > Still, it sure looks to be an interesting year > > > ahead, in the security > > > > products market. > > > > > > > > Happy New Year, everyone! > > > > > > > > Chuck > > [EMAIL PROTECTED] > > > > > > __________________________________________________ > > Do You Yahoo!? > > Send your FREE holiday greetings online! > > http://greetings.yahoo.com [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30862&t=30862 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
