I have approximately 2 million hits a day on web pages behind a pair of PIX
515's in failover and send out a little more than a million subscription
(not spam) email's every night and the only issue I have is that the
available 1550 (Ethernet) blocks drops to zero at times during the 3 or 4
hours in the middle of the night that I'm shoving out all of that email. We
even run some small animated Flash things on some pages however I don't
serve any streaming media. I do have FTP services that serve from 1500-2000
users anywhere from 10 to 100MB each daily. Now the FTP users are pulling
packages of graphics though, not 700MB ISO CD images. During the day, when
the lion's share of the web activity occurs, I never notice any of the PIX's
resources taxed to anywhere close to a point I consider worrisome. The boxes
I have to keep an eye on are my 3640 routers. That's where I see the meters
pegging, mostly in the mornings when people check their morning emails. I
used to have QoS running on them for certain traffic I wanted to restrict
bandwidth on but that absolutley choked the CPU's in the AM. Never seen a
router CPU run at 100% use and stay there until then. Had to remove it. Like
Charles said, a single user will open many connections one web page hit but
each individual connection not open too long. The PIX just keeps on chuggin'
right along. Now I run no encryption on that pair and have tunnels in from
the outside coming in thru another PIX that processes no web traffic. These
2 boxes are simple firewalls. I would like to upgrade to at least 525's (not
to mention a beefier router) or just a REALLY beefy router running firewall
IOS but, alas, it's not in the budget this year so I chug right along with
my 515's doing exactly what I need them to. If you're not running really
big flash animations, streaming media or some other big bandwidth hog type
of traffic, you don't have a bunch of secure tunnels built or your 2 million
users don't all hit within a 2 hour time frame I really doubt you'll have
any issues with a 515 or bigger box but I would personally recommend bigger
than a 515 with the idea in mind of a liitle room for your business to grow
and not max'ing out the box in 6 months or a year. Our traffic has only
seen modest growth over the last 2 years or so. I believe we still have
quite a bit more we can squeeze out of the PIX's before we have no choice
but to upgrade.
That's my experience anyway. Don't know how closely your requirements match
mine though. Hope this helps.
Mark
Quoting Charles Riley :
I believe that if you check the Cisco website or
documentation, you will see
that it defines a session as a single TCP or UDP
connection. If somehow you
had 2M users, yet their total number of sessions never
exceeded 500K, then
your firewall could handle 2M users. I am not
addressing performance at all
here.
Realistically, though, your users are going to have
any number of sessions
established as they read their email, check the web,
download files, and so
on. It's possible that your 500K PIX firewall could
only be able to handle
about 5K or 50K of your users if they are the kind of
users to keep hundreds
or thousands of sessions going at once.
HTH,
Charles
Kenan Ahmed Siddiqi wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello groupies,
I was reading the PIX book and it apparently said
that the no. of
connection
supported by a PIX firewall (higher order) is
500,000. Does this mean that
upto 500,000 sessions can be established or
something else? If so, what do
I
do if I have a thoroughput of say 2 million users?
Thanks in adv.
Cheers,
Kenan
[EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62587t=62575
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
