[unisog] High speed firewalls - Connections per second not bits persecond

Matt McBride matt.mcbride at utah.edu
Tue Feb 22 04:49:04 GMT 2005

> So my question is do you all know of firewalls, stateful inspection
> not just ACL's on routers, that can really handle large numbers of
> connections per second? I see a lot about bps but not too much about
> cps.

We run several Cisco FWSMs throughout our campus backbone in the
distribution layer and at our AS boundary routers acting as our front
door. Most average 150 - 200 mbps and we deal with infected hosts
spewing data on a daily basis. We haven't been pushed to the point of
dropping packets, at least nothing I or the end users have noticed.

Cisco claims, "Cisco Firewall Services Module (FWSM) is a high-speed,
integrated firewall module for Cisco Catalyst(r) 6500 switches and Cisco
7600 Series routers, and provides the fastest firewall data rates in the
industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.
Up to four FWSMs can be installed in a single chassis providing
scalability to 20 Gbps per chassis."

We did extensive testing in the lab before going with this solution
using a Smartbits network performance analysis system. It handled 1K cps
without any issues.


Matt McBride
Network Engineer
University of Utah
Salt Lake City, USA
ccnp ccdp cissp

More information about the unisog mailing list