Firewall Wizards mailing list archives

Re: PIX-515 acceptable CPU usage?

From: <pmahesh90979 () yahoo com>
Date: Thu, 16 Sep 2004 04:13:36 -0700 (PDT)

I agree with Brian !! There is no specific benchmark for the CPU usage. At present, you would be very much comfortable 
with the CPU usage as it would be around 20-25%. However, it would be great if you consider your future requirements as 
well. 
 
Suppose if you are running VPN or SSH which needs encryption  or if you are running the PIX as one of the core routers 
for OSPF then the CPU utilization could go high.
 
Another question is whether you really want to use PIX for OSPF i.e. using PIX as router rather than a FW. 6.3.3 is a 
great code but using PIX as FW and another router to do the job of routing is definitely worth a thought. 
 
Mahesh

Brian Ford <brford () cisco com> wrote:
Adam,

You're definitely OK for now. Seems like at worst you'll see 20-25% CPU 
(10% base and 10% if you had 5 interfaces).

You probably want to try and test a number of use cases including DoS'ing 
on of the less trusted interfaces or (and) establishing a couple of VPN or 
SSH sessions to the PIX and watching what happens.

Chances are (without looking at your config or knowing how you use the PIX) 
you'll probably spike up to 60% when bad things happen.

Liberty for All,

Brian

At 02:22 PM 9/3/2004 -0400, firewall-wizards-request () honor icsalabs com wrote:

From: "Adam Greene" 
To: 
Date: Fri, 3 Sep 2004 11:47:17 -0400
Subject: [fw-wiz] PIX-515 acceptable CPU usage?

Hi --

We're deploying OSPF on our network for the first time, and it looks like it
will be convenient to enable OSPF on our PIX-515-UR's as well (running 6.3.3
OS). The problem
is, the moment I enable OSPF on the pixes, CPU usage on them shoots up from
0-1% to 7-10% (sh cpu usage). Each interface I add to area 0 appears to add
1-2% to CPU usage as well.

I've tried googling for acceptable CPU usage levels on the PIX, but came up
dry. Does anyone have a benchmark they can refer me to?

We're going to be passing about 5 Mbps through these pixes in the short term
(may grow to 10Mbps or higher). It would be nice to know that ongoing 15%
CPU usage is not going to cause noticeable performance degradation to our
users (we are broadband ISP).

Any input anyone may have is very welcome. Thanks for your help.

--Adam

P.S. we're running 6.3.3 on the pixes



Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the author and not 
necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

                
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

Current thread:

PIX-515 acceptable CPU usage? Adam Greene (Sep 03)
- <Possible follow-ups>
- Re: PIX-515 acceptable CPU usage? Brian Ford (Sep 03)
  - Re: PIX-515 acceptable CPU usage? pmahesh90979 (Sep 16)
- RE: PIX-515 acceptable CPU usage? Ahmed, Balal (Sep 16)
  - RE: PIX-515 acceptable CPU usage? Eugene Kuznetsov (Sep 16)