06-08-2005 11:20 AM - edited 03-05-2019 11:33 AM
Hi,
I noticed that hosts located in the dmz interface of my Pix 515E has a poor bandwidth (~2-3MB/s on 100mbps link) when transferring data to the inside interface.
Inside to inside transfers seem decent (5-6MB/s on 100mbps link)
Is this normal?
Thanks for your help.
06-08-2005 08:24 PM
With the given information, I'd say you're probably in the ballpark.
The problem of giving an absolute answer is that there are many variables, from the actual PCs that you're testing, to the number and scope of the ACLs in-place between the DMZ and the inside, to the (possible) NAT assignments / maps.
Everything that causes a comparison to occur between the interfaces will occur (potentially, check to see if "turbo" ACLs are available - I don't think they are) for for evey packet that passes between them.
An ACL means that the CPU must examine the packet against every line of the ACL, a NAT or static mapping means that the packet has to be rebuilt (both ways ... think of TCP "acks" as well as bi-di traffic) to change the address and / or port mapping.
Another factor is the load on the PIX. A heavily loaded PIX is likely to operate slower / with more latency than one that is not under heavy load.
All of this plays into the conventions for efficiently setting up your ACLs, filters, address hierarchies & such.
When the system comes under load, every little bit helps to keep it running as fast and efficiently as possible.
Ther are other factors ... the switch(es) and router(s) that feed the PIX, the server(s) that get and send the traffic through the PIX, the quality of the WAN connection .... you get the idea.
Without seeing you configs and a realistic bandwidth analysis on a snapshot of the tested conditions, it's not really possible to give you a fair evaluation.
But, generally speaking, the numbers you present are probably in the zone.
(you did mean MB = MegaBYTES, not BITS, right?)
FWIW
Scott
06-09-2005 08:19 AM
Thanks for your help, Scott.
I realise that there are a LOT of factors involved and it is pretty hard to evaluate bandwidth efficiency without proper analysis. I will most probably look into all these issues you pointed out to try and optimize performance a little bit, even if it is only 500k/s.
I know i'll never get as good as performance from an inside to inside transfer considering the security between the inside and dmz zone, but perhaps there is still place for optimization.
(and yes, I did mean megabyte ;))
Thanks again.
*** EDIT ***
Rating your post does not seem to work for now, I'll try again later.
06-15-2005 12:38 PM
Check the interface counters - if you see numerous errors, there might be an autonegotiation problem, in which case if the dmz interface is plugged into a managed switch, you would want to configure both the pix dmz int and switch port to be hard coded for 100 megabit full duplex.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide