Firewall Wizards mailing list archives

Re: Consine FW

From: "Volker Tanger" <volker.tanger () discon de>
Date: Wed, 14 Nov 2001 17:31:41 +0100

Greetings!

Nimesh Vakharia wrote:

me.  Has anyone tested a high end firewall, proxy or stateful, on a 2ghz
quad processor servers decked out with memory?  It may give gigabit
throughput performance for all we know at this point.  I don't dispute

        One of our customers did try out a quad proc (440Mhz, i think) at
1 Gb RAM on a Sun E450(2Gig Nic) with Checkpoint. I think they barely got
around 60-80Mbps of thput out of the 1G. The packets were pure UDP
traffic (200 streams) and fw was configured with 20 FW rules. In
checkpoints defense, the admins were not very big on solaris and the
optimizations were a few things recommended on phoneboy.com. It'd be
interesting if see if people have had other experiences.

Unless they are running a (extremely high) number of security servers("Resources") or VPN (though special Crypt cards arce cheaper) 2-3 ofthe 4 CPUs are a complete waste of money. Packet filtering is done inkernel - a single CPU task. Security servers and VPN tunnels can run onother CPUs, but the main load always is bound to one single CPU.

One trick is that the E450 has 6 separate PCI busses (some high/wide,some low/standard width IIRC)- so the Gig cards should be situated ondifferent busses to avoid PCI bus saturation. A common PCI bus has32bit@33MHz = 990 Mbit/s which is the equivalent of a Gig card run halfdumplex. So seek one of the 64bit@33MHz or 32bit@66MHz or 64bit@66MHzPCI busses the E450 provides (sorry, I currently don't have the manualsat hand). And keep the PCI bus used by the Gig card free of other stuff.

This way you avoid the bus limit.

60-80 Mbit/s sound awfully alike to the throughput limit of a 100 mbit/sshared ethernet. Are you sure that there was no dumb switch involved onone of the testing sides? Sometimes - especially when routing broadcasts- switches are programmed to wait for the slowest interface...



Bye
        Volker

--

Volker Tanger  <volker.tanger () discon de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Consine FW Bill_Royds (Nov 09)
- Re: Consine FW Nimesh Vakharia (Nov 09)
  - Re: Consine FW David Lang (Nov 09)
- <Possible follow-ups>
- RE: Consine FW Nimesh Vakharia (Nov 13)
  - Re: Consine FW t (Nov 14)
- RE: Consine FW Lucas, Perry (Nov 14)
  - RE: Consine FW David Lang (Nov 14)
  - RE: Consine FW Nimesh Vakharia (Nov 14)
    - Re: Consine FW Volker Tanger (Nov 14)
    - Re: Consine FW Nimesh Vakharia (Nov 15)
    - Re: Consine FW Stephane Nasdrovisky (Nov 15)
- RE: Consine FW Pieper, Rodney (Nov 14)