Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: "firewalls" at high speed -- resending

  • From: Hank Nussbacher
  • Date: Sun Oct 03 02:40:08 1999

Hopefully this gets thru this time since the last time I sent it (Sept 30)
I received:
<nanog@merit.edu>: Command died with status 2: "/private/majordomo/wrapper
    resend -l nanog -h merit.edu -s nanog-outgoing". Command output: Can't
    locate getopts.pl in @INC (@INC contains:
    /usr/local/perl-5.004_04/lib/sun4-solaris/5.00404
    /usr/local/perl-5.004_04/lib
    /usr/local/perl-5.004_04/lib/site_perl/sun4-solaris
    /usr/local/perl-5.004_04/lib/site_perl .) at
    /private/majordomo-1.94.4/resend line 74.
and no one from Merit has responded yet to my email.

>Alex Rudnev observed,
>
>>Folks, why all you are saying about the Gigabit traffic for the firewall?
>>
>>Usially, firewall stand between intranet and internet, and it should
>>proceed your upstream traffic, not more... And than, it's important to
>>measure the throughput in packets/per_second, not in the gigabits...
>>
>>Everything other is true - I suggess no one good firewall can proceed
>>gigabit traffic at all, and only a few specially designed boxes can
>>proceed 100Mbit traffic. But just again - it's a rare case when you does
>>have 100Mbit upstream link.

Super Firewalls! 
http://www.data.com/issue/990521/firewalls.html

Almost all hit 72Mb/sec or more whether NAT was disabled or enabled.

To quote from the article:

                            Once again we started with a baseline test.
With no
                            firewall on the test bed, we achieved TCP
                            forwarding rates of 15.6 Mbyte/s over each
                            four-minute run of the test scripts; this works
out to
                            nearly 125 Mbit/s. So why didn’t we get the
                            200-Mbit/s theoretical maximum of a switched,
                            full-duplex test bed? First and foremost, our
                            measurements are taken at the application
layer. It’s
                            likely that packet headers and the continuous
                            opening and closing of SMTP connections took a
                            bite out of the effective data rate. Second,
clients
                            offered lots of traffic that the rule sets
expressly
                            denied—so at least some of the time the wire was
                            occupied carrying traffic that wouldn’t be
forwarded.
                            Third, there may have been a firepower
limitation in
                            the amount of traffic our clients and servers
could
                            offer. We can’t say for certain how much the
                            degradation is due to application overhead, and
how
                            much to test platform limitations. 

I would think that 200Mb/sec is achievable with not much effort and perhaps
the next testing round will prove it. 

-Hank






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.