North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: "firewalls" at high speed -- resending

  • From: Hank Nussbacher
  • Date: Sun Oct 03 02:40:08 1999 
Hopefully this gets thru this time since the last time I sent it (Sept 30)
I received:
<[email protected]>: Command died with status 2: "/private/majordomo/wrapper
    resend -l nanog -h merit.edu -s nanog-outgoing". Command output: Can't
    locate getopts.pl in @INC (@INC contains:
    /usr/local/perl-5.004_04/lib/sun4-solaris/5.00404
    /usr/local/perl-5.004_04/lib
    /usr/local/perl-5.004_04/lib/site_perl/sun4-solaris
    /usr/local/perl-5.004_04/lib/site_perl .) at
    /private/majordomo-1.94.4/resend line 74.
and no one from Merit has responded yet to my email.

>Alex Rudnev observed,
>
>>Folks, why all you are saying about the Gigabit traffic for the firewall?
>>
>>Usially, firewall stand between intranet and internet, and it should
>>proceed your upstream traffic, not more... And than, it's important to
>>measure the throughput in packets/per_second, not in the gigabits...
>>
>>Everything other is true - I suggess no one good firewall can proceed
>>gigabit traffic at all, and only a few specially designed boxes can
>>proceed 100Mbit traffic. But just again - it's a rare case when you does
>>have 100Mbit upstream link.

Super Firewalls! 
http://www.data.com/issue/990521/firewalls.html

Almost all hit 72Mb/sec or more whether NAT was disabled or enabled.

To quote from the article:

                            Once again we started with a baseline test.
With no
                            firewall on the test bed, we achieved TCP
                            forwarding rates of 15.6 Mbyte/s over each
                            four-minute run of the test scripts; this works
out to
                            nearly 125 Mbit/s. So why didn�t we get the
                            200-Mbit/s theoretical maximum of a switched,
                            full-duplex test bed? First and foremost, our
                            measurements are taken at the application
layer. It�s
                            likely that packet headers and the continuous
                            opening and closing of SMTP connections took a
                            bite out of the effective data rate. Second,
clients
                            offered lots of traffic that the rule sets
expressly
                            denied�so at least some of the time the wire was
                            occupied carrying traffic that wouldn�t be
forwarded.
                            Third, there may have been a firepower
limitation in
                            the amount of traffic our clients and servers
could
                            offer. We can�t say for certain how much the
                            degradation is due to application overhead, and
how
                            much to test platform limitations. 

I would think that 200Mb/sec is achievable with not much effort and perhaps
the next testing round will prove it. 

-Hank