Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

How come total throughout does not equal the number/speed of interfaces?

Go to solution
Sheraz_35
Level 1
Level 1

‎06-03-2015 04:43 AM - edited ‎03-11-2019 11:02 PM

I was just wondering why the total throughput of a firewall may be less than the speed of the interfaces, i.e 

 

Firewall throughput : 1 Gbps

 

Interfaces: 6 x 1000Base-T - RJ-45

 

Shouldn't the throughput be 6Gbps? 1gps for each port? I know I am missing something if someone could help out that would be great. Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kcrane2
Level 1
Level 1

‎06-03-2015 08:01 AM

Pretty straightforward.  There is processing involved in firewalling that would not be involved in just moving a packet from here to there.  An incomplete list of checks in no particular order:

 

- Anti Spoofing: Is the packet source from a network expected on this interface.

- Fragmentation:  Need to assemble the packet to perform more advanced protocol fixups/inspections.

- NAT processing: Got to lookup the rules to rewrite the headers.

- Policy processing.

- ACL matching:  Is this permitted traffic in the rule table.

 

This takes some period of time to complete and the higher the expected throughput of the firewall the more processor power it takes to complete it in time.  A firewall is not a switch and devices that can move 5,10,20 gigabit through all that processing cost big money.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
kcrane2
Level 1
Level 1

‎06-03-2015 08:01 AM

Pretty straightforward.  There is processing involved in firewalling that would not be involved in just moving a packet from here to there.  An incomplete list of checks in no particular order:

 

- Anti Spoofing: Is the packet source from a network expected on this interface.

- Fragmentation:  Need to assemble the packet to perform more advanced protocol fixups/inspections.

- NAT processing: Got to lookup the rules to rewrite the headers.

- Policy processing.

- ACL matching:  Is this permitted traffic in the rule table.

 

This takes some period of time to complete and the higher the expected throughput of the firewall the more processor power it takes to complete it in time.  A firewall is not a switch and devices that can move 5,10,20 gigabit through all that processing cost big money.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card