[unisog] High speed firewalls - Connections per second not bits persecond

Matt McBride matt.mcbride at utah.edu
Tue Feb 22 04:49:04 GMT 2005


> So my question is do you all know of firewalls, stateful inspection
and
> not just ACL's on routers, that can really handle large numbers of
> connections per second? I see a lot about bps but not too much about
> cps.

We run several Cisco FWSMs throughout our campus backbone in the
distribution layer and at our AS boundary routers acting as our front
door. Most average 150 - 200 mbps and we deal with infected hosts
spewing data on a daily basis. We haven't been pushed to the point of
dropping packets, at least nothing I or the end users have noticed.

Cisco claims, "Cisco Firewall Services Module (FWSM) is a high-speed,
integrated firewall module for Cisco Catalyst(r) 6500 switches and Cisco
7600 Series routers, and provides the fastest firewall data rates in the
industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.
Up to four FWSMs can be installed in a single chassis providing
scalability to 20 Gbps per chassis."
http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/ps4452/in
dex.html

We did extensive testing in the lab before going with this solution
using a Smartbits network performance analysis system. It handled 1K cps
without any issues.

-Matt

+-----------------------------------------------------------------------
-----+
Matt McBride
Network Engineer
University of Utah
Salt Lake City, USA
ccnp ccdp cissp
801.585.1043
matt.mcbride/at/utah.edu
+-----------------------------------------------------------------------
-----+




More information about the unisog mailing list