[c-nsp] cat6500/fwsm performance

[David Paul Zimmerman]

Another thing to keep in mind is that IP multicast is particularly bad on
the FWSM, because multiple VLANs receiving a single stream will duplicate
the multiple copies of identical traffic down the same EtherChannel member
-- along with any other unicast or multicast traffic that happens to have
the same EtherChannel hash.  Something to watch for normal traffic, and
definitely something to be concerned about if you have a multicast flood
(particularly the innocent unicast victims).

	dp

-----Original Message-----
From: Peter Rathlev <peter at rathlev.dk>
Date: Thu, 2 Jun 2011 14:22:23 -0700
To: Jeff Bacon <bacon at walleyesoftware.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] cat6500/fwsm performance

On Thu, 2011-06-02 at 15:09 -0500, Jeff Bacon wrote:
> I'm seeing round-trip latencies of approx 250us pushing data through the
> FWSM, 

That latency sounds much like what we're seeing, around 300 us.

> and a relatively ridiculously high rate of packet loss.

Two things to keep in mind:

 1) Any one flow cannot exceed 1 Gb/s, since the connection to the FWSM
    is a 6 port etherchannel.

 2) Traffic that cannot be "fast switched" in the firewall will overload
    it easily. An iperf UDP session resulted in 30% packet loss @ 300
    Mbps here. Fast switched traffic (like regular TCP) is no problem.

> This is just with having the firewall in transparent mode, two hosts
> on one vlan and two hosts on another VLAN bridged via the FWSM, with
> all inspection turned off.
> 
> Are these cards _really_ that bad? Or am I missing something really
> dumb and obvious here?

I've only ever used routed mode and have no idea if transparent is
different performance wise.

-- 
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/