Virtual FW throughput

[wintermute000]

Anyone have any XP on different virtual FW re: large scale deployments and in particular, session count?


I am potentially scoping out a proposal for an internet edge aggregation for 1400 retail sites. We haven't been given the figures yet (if they exist LOL) but just rule of thumb you'd assume at least 64k simultaneous sessions. The kicker here is that the customer and the provider are very keen to go virtual, because cloud, virtual, duh. And as you all know, scaling/performance is a fuzzy question with virtual.


Cisco claim 500k sessions on vASA, Juniper 256k on vSRX etc. but has anyone actually stress tested a large virtual FW deployment?

[deanwebb]

Not on a  virtual one, but vendors like to send "special" packet flows to get those rates. If you don't have a Spirent box or something similar, rent one and use it to blast traffic that's more real-to-life.

[NetworkGroover]

Not on a  virtual one, but vendors like to send "special" packet flows to get those rates. If you don't have a Spirent box or something similar, rent one and use it to blast traffic that's more real-to-life.

Truth - Spirent or Ixia cuts right through the vendor bullsh!t.

That's when you learn how their ASICs work.  Example at a former job we discovered we could only get about 1.4G of throughput on a Juniper Netscreen (IIRC) on a single point-to-point link - even with 10G interfaces.  Turns out that in order to leverage all channels of the ASIC you had to use like 60 tunnels or something.  Boy was that an eye opener.

[dlots]

Ouchie!!

Yeah vendors lie like crazy about that kinda thing, when I was still very new I took out a data center (for a very short period of time)  by using Iperf to push 1Gb of data though a firewall that claimed 5Gb of though-put.

[NetworkGroover]

Ouchie!!

Yeah vendors lie like crazy about that kinda thing, when I was still very new I took out a data center (for a very short period of time)  by using Iperf to push 1Gb of data though a firewall that claimed 5Gb of though-put.

Yep!  Firewalls and things like IDS have been notorious for that I hear.  You can almost guarantee that if you enable ANYTHING on the device, the throughput is going to be less than advertised.

I preach Ixia/Spirent on the regular - too bad it's so damn expensive (from what I hear).  It's a bummer that such a vital tool is something probably so hard to justify to upper management.

[Otanx]

IDS market is bad with fake throughput numbers. The first thing you should ask after they tell you their throughput is how many rules that is with. I have seen vendors run their tests with 1 rule that does not trigger on anything, then when you test with a real rule set the throughput dies. Also seen boxes that have 4 10G interfaces, and are marketed as 40G boxes, but then you find out the system can only do 4G per interface, and no monitored flow can be above 1Gbps. IDS sizing sucks. This is why systems like Gigamon, ANUE, Arista DANZ, or Cisco Data Broker are becoming important.

-Otanx

[NetworkGroover]

IDS market is bad with fake throughput numbers. The first thing you should ask after they tell you their throughput is how many rules that is with. I have seen vendors run their tests with 1 rule that does not trigger on anything, then when you test with a real rule set the throughput dies. Also seen boxes that have 4 10G interfaces, and are marketed as 40G boxes, but then you find out the system can only do 4G per interface, and no monitored flow can be above 1Gbps. IDS sizing sucks. This is why systems like Gigamon, ANUE, Arista DANZ, or Cisco Data Broker are becoming important.

-Otanx

Right?  As if your job wasn't already hard enough...