Virtual FW throughput

Started by wintermute000, July 12, 2015, 08:49:37 PM

Previous topic - Next topic

wintermute000

Anyone have any XP on different virtual FW re: large scale deployments and in particular, session count?


I am potentially scoping out a proposal for an internet edge aggregation for 1400 retail sites. We haven't been given the figures yet (if they exist LOL) but just rule of thumb you'd assume at least 64k simultaneous sessions. The kicker here is that the customer and the provider are very keen to go virtual, because cloud, virtual, duh. And as you all know, scaling/performance is a fuzzy question with virtual.


Cisco claim 500k sessions on vASA, Juniper 256k on vSRX etc. but has anyone actually stress tested a large virtual FW deployment?

deanwebb

Not on a  virtual one, but vendors like to send "special" packet flows to get those rates. If you don't have a Spirent box or something similar, rent one and use it to blast traffic that's more real-to-life.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

#2
Quote from: deanwebb on July 12, 2015, 09:15:16 PM
Not on a  virtual one, but vendors like to send "special" packet flows to get those rates. If you don't have a Spirent box or something similar, rent one and use it to blast traffic that's more real-to-life.

Truth - Spirent or Ixia cuts right through the vendor bullsh!t.

That's when you learn how their ASICs work.  Example at a former job we discovered we could only get about 1.4G of throughput on a Juniper Netscreen (IIRC) on a single point-to-point link - even with 10G interfaces.  Turns out that in order to leverage all channels of the ASIC you had to use like 60 tunnels or something.  Boy was that an eye opener.
Engineer by day, DJ by night, family first always

dlots

Ouchie!!

Yeah vendors lie like crazy about that kinda thing, when I was still very new I took out a data center (for a very short period of time)  by using Iperf to push 1Gb of data though a firewall that claimed 5Gb of though-put.

NetworkGroover

Quote from: dlots on July 16, 2015, 07:33:30 AM
Ouchie!!

Yeah vendors lie like crazy about that kinda thing, when I was still very new I took out a data center (for a very short period of time)  by using Iperf to push 1Gb of data though a firewall that claimed 5Gb of though-put.

Yep!  Firewalls and things like IDS have been notorious for that I hear.  You can almost guarantee that if you enable ANYTHING on the device, the throughput is going to be less than advertised.

I preach Ixia/Spirent on the regular - too bad it's so damn expensive (from what I hear).  It's a bummer that such a vital tool is something probably so hard to justify to upper management.
Engineer by day, DJ by night, family first always

Otanx

IDS market is bad with fake throughput numbers. The first thing you should ask after they tell you their throughput is how many rules that is with. I have seen vendors run their tests with 1 rule that does not trigger on anything, then when you test with a real rule set the throughput dies. Also seen boxes that have 4 10G interfaces, and are marketed as 40G boxes, but then you find out the system can only do 4G per interface, and no monitored flow can be above 1Gbps. IDS sizing sucks. This is why systems like Gigamon, ANUE, Arista DANZ, or Cisco Data Broker are becoming important.

-Otanx

NetworkGroover

Quote from: Otanx on July 16, 2015, 11:20:36 AM
IDS market is bad with fake throughput numbers. The first thing you should ask after they tell you their throughput is how many rules that is with. I have seen vendors run their tests with 1 rule that does not trigger on anything, then when you test with a real rule set the throughput dies. Also seen boxes that have 4 10G interfaces, and are marketed as 40G boxes, but then you find out the system can only do 4G per interface, and no monitored flow can be above 1Gbps. IDS sizing sucks. This is why systems like Gigamon, ANUE, Arista DANZ, or Cisco Data Broker are becoming important.

-Otanx

Right?  As if your job wasn't already hard enough...
Engineer by day, DJ by night, family first always