nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I don't need no stinking firewall!

From: Joel Jaeggli <joelja () bogus com>
Date: Fri, 08 Jan 2010 16:52:01 -0800


Dobbins, Roland wrote:

On Jan 8, 2010, at 9:02 PM, bill from home wrote:


And maybe there is no way to tell, but I feel I need to ask the question.


Situationally-dependent; the only way to really tell, not just theorize, is to test the firewall to destruction 
during a maintenance window (or one like it, in the lab).


see my post in the subject, a reasonably complete performance report for
the device is a useful place to start. if you know what the maximum
session rate and state table size for the device are, you have a pretty
good idea at what rate of state instantiation it will break. rather
frequently it's more than two orders of magnitude lower than the peak
forwarding rate.



-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken
Previous By Date Next
Previous By Thread Next

Current thread: