Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . .

From: David Lang <dlang () digitalinsight com>
Date: Wed, 12 Apr 2006 14:46:41 -0700 (PDT)
On Sun, 9 Apr 2006, Oliver Humpage wrote:


On 8/4/06 12:52 am, "David Lang" <dlang () digitalinsight com> wrote:


5TB/day is a sustained 60MB/sec (1 1/2 DS-3's or so), given that you have
a lot of peaks it's reasonable to say that your peak traffic is 2-3x that
value. you are still talking about ~200Mb/sec of traffic.


Is that not 200MB/sec = 1600Mb/sec? I.e. you either need to load balance, or
get a box with >1Gbps ports in it?
If I did make the Bytes/bits mistake (not having the original message handy to check I don't know) then the average traffic would be ~500mb/sec (min 4 OC-3 lines or 1 OC-12 line) with the peak being significantly higher then that.
if you are talking about 8+ OC-3 (2+ OC-12) lines then you either need to split the traffic to keep it well below 1Gb/sec for each set of boxes, or you are going to 10Gb ethernet.
just load balancing won't solve this as your routers would need >1Gbps ports on it (assuming that a setup this large will have the lines connected to different carriers and be running BGP for telco failover). but if you segement your address space to different interfaces on the routers then you can split things so that each interface (and therefor each firewall, and set of servers) doesn't need to exceed 1Gbps
as for the need to load balance the firewalls, it is getting closer to the point of needing to, but checkpoint has quite a few boxes rated at 3-4Gbps (including that $30k Opteron based sun I mentioned) so even discounting their rateings to real-world values you may not need to load balance yet.
it's actually far easier to troubleshoot multiple sets of boxes that are not load balanced then one (smaller) set of boxes that are. 

David Lang


Oliver.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no 
deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
 -- C.A.R. Hoare

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: