PIX 525 specs

Unanswered Question
Feb 28th, 2007

I'm trying to understand the "cleartext throughput" term that Cisco uses in their performance specifications of the PIX-525. The PIX can be expanded to up to three gig-ethernet interfaces but it is listed as being capable of handling only up to 330Mbps. That sounds like it can't even handle one gigabit interface let alone three. A guy at Cisco TAC said it's 330Mbps per interface although he wasn't able to produce any documentation to support his statement. Even that is still well below what the interfaces could throw at the PIX if they were pretty busy. Am I missing something or is the box just underpowered relative to what traffic could potentially need to pass through it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Fri, 03/02/2007 - 12:51

hi,

330 mbps in the traffic throughput,not the interface throughput.

by that,i mean that you can pump data in the pix through those gig interfaces but that would exhaust it's memory and cpu utilisation.

pix is a stateful firewall,not just a transparent device which needs to accept information at one interface and send it through other.

t all depends on the amount of config you have on your Pix. Pix is a stateful firewall and for each and every packet it does stateful inspection and hence, the delay. Also it depends on how many access rules you have on your pix and on which line does the rule exist which permits such traffic to pass also makes a slight difference. Thats why we call pix as a bottle neck for file transfers as it checks for each and every packet/frame and its statefulness... scans it thouroughly, checks for the routing table, checks the access rules, proxyarps for the packet and finally its translation as well as connection table before sending the packet ahead.... if all parameters matches, the packet is sent to layer 3 for further transmission. This happens for each and every packet. You would see high rate of data xfer over switched n/w due to the fact that all data xfer takes place over a layer 2 environment only. Hence, no translations, connection table, routing decisions, proxyarping, access rules, switching the packet to layer 3 etc etc is scanned for packets and the packet bypasses all these steps of security check making transfer faster. Moreover, if you have portfast enabled on switches on LAN would make the transfer more faster due to the fact that the packet would bypass the listening and learning stage and would be switched straight from blocking to forwarding mode. Hope i make some sense .

Actions

This Discussion