1721 IOS firewall throughput?

Answered Question
Jan 31st, 2008
User Badges:

How many pps or Mbps cleartext would you expect from a 1721 between the built-in 10/100 port and a 10/100 port on the four-port switch module, using IOS firewall? I've seen numbers for encryption (the unit has VPN bundle), but have no idea how the unencrypted IOS firewall throughput would compare to, say, a 506E.


Any thoughts or links will be much appreciated.


Paul

Correct Answer by paolo bevilacqua about 9 years 4 months ago

Ok, here it goes now.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Thu, 01/31/2008 - 14:16
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Here's attached the frequently posted performance sheet.

For FW enabled, subtract a very cautious 30%.


Hope this helps, please rate post if it does!

pnicolette Fri, 02/01/2008 - 12:50
User Badges:

Very helpful, thanks. Just 3 more questions ;-) ...


- do you happen to know whether IOS firewall is process switched on a smaller router?


- should the CEF numbers be seen as a best-case sum for all flows through a router with multiple interfaces, ie fe1<->fe2 PLUS fe3<->fe4?


- why do some models have no listing for process-switched throughput? (hope it's not embarrassment protection!)


Thanks again.

paolo bevilacqua Fri, 02/01/2008 - 13:20
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, first of all one has to define which FW flavour is used. There is the old one, then evolution of it, now we have zone-based FW..


Anyway the tendency is to have cef switching as long possible. This is also why you see less and less process-switching performance numbers.


Multiple interface routing vs single pair usually subtracts little from the overall.


Thanks for the nice rating and good luck!


pnicolette Fri, 02/01/2008 - 13:59
User Badges:

So for a sanity check...


If a 1721 maxes at 12k pps, assuming an avg packet size of 1000 bytes, then w/8bits/byte it's 96Mbps. So on a full duplex 100Mbps link with the conservative 30% fw derating, and equal traffic in both directions (won't happen!) I might get up to 33Mbps throughput in each direction?


BTW, FWIW, I found a slightly newer version product sheet at http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

...once I knew what to search for.


Actions

This Discussion