Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
3
Replies

Pix 515E DMZ poor bandwidth

a.paradis
Level 1
Level 1

‎06-08-2005 11:20 AM - edited ‎03-05-2019 11:33 AM

Hi,

I noticed that hosts located in the dmz interface of my Pix 515E has a poor bandwidth (~2-3MB/s on 100mbps link) when transferring data to the inside interface.

Inside to inside transfers seem decent (5-6MB/s on 100mbps link)

Is this normal?

Thanks for your help.

Labels:
0 Helpful
3 Replies 3

scottmac
Level 10
Level 10

‎06-08-2005 08:24 PM

With the given information, I'd say you're probably in the ballpark.

The problem of giving an absolute answer is that there are many variables, from the actual PCs that you're testing, to the number and scope of the ACLs in-place between the DMZ and the inside, to the (possible) NAT assignments / maps.

Everything that causes a comparison to occur between the interfaces will occur (potentially, check to see if "turbo" ACLs are available - I don't think they are) for for evey packet that passes between them.

An ACL means that the CPU must examine the packet against every line of the ACL, a NAT or static mapping means that the packet has to be rebuilt (both ways ... think of TCP "acks" as well as bi-di traffic) to change the address and / or port mapping.

Another factor is the load on the PIX. A heavily loaded PIX is likely to operate slower / with more latency than one that is not under heavy load.

All of this plays into the conventions for efficiently setting up your ACLs, filters, address hierarchies & such.

When the system comes under load, every little bit helps to keep it running as fast and efficiently as possible.

Ther are other factors ... the switch(es) and router(s) that feed the PIX, the server(s) that get and send the traffic through the PIX, the quality of the WAN connection .... you get the idea.

Without seeing you configs and a realistic bandwidth analysis on a snapshot of the tested conditions, it's not really possible to give you a fair evaluation.

But, generally speaking, the numbers you present are probably in the zone.

(you did mean MB = MegaBYTES, not BITS, right?)

FWIW

Scott

0 Helpful

a.paradis
Level 1
Level 1
In response to scottmac

‎06-09-2005 08:19 AM

Thanks for your help, Scott.

I realise that there are a LOT of factors involved and it is pretty hard to evaluate bandwidth efficiency without proper analysis. I will most probably look into all these issues you pointed out to try and optimize performance a little bit, even if it is only 500k/s.

I know i'll never get as good as performance from an inside to inside transfer considering the security between the inside and dmz zone, but perhaps there is still place for optimization.

(and yes, I did mean megabyte ;))

Thanks again.

*** EDIT ***

Rating your post does not seem to work for now, I'll try again later.

0 Helpful

mostiguy
Level 6
Level 6
In response to a.paradis

‎06-15-2005 12:38 PM

Check the interface counters - if you see numerous errors, there might be an autonegotiation problem, in which case if the dmz interface is plugged into a managed switch, you would want to configure both the pix dmz int and switch port to be hard coded for 100 megabit full duplex.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card