Peter Welcher of NetCraftsmen explains how to make sure you choose the right router or firewall to meet your performance and throughput needs.
A recent blog contrasted routers and switches. This blog contains some related thoughts and is essentially Part 2 of the prior blog.
In some recent design situations, I’ve spent some time looking at routers and firewalls, looking for some fairly hefty performance characteristics. That’s where it became quite clear (if it wasn’t clear enough already), that router and firewall performance costs a lot more, compared to switches. As covered in the previous blog.
This blog discusses the related topic of finding the router or firewall model with the right performance, for situations where more than relatively low-cost speed is needed.
I keep encountering people who seem to think that since their Cisco ISR 4K router has a couple of 1 Gbps interfaces, it will do 1 Gbps of GigE to GigE forwarding (routing). Bzzzt, wrong! Probably not, depending on the model! The standard consulting answer applies: “it depends” and “don’t assume.”
This is not criticizing Cisco, other vendors do the same thing. Cisco’s data sheets are fairly candid on throughput. You do have to read them and understand what the performance numbers mean.
One place this comes up is in IPsec / IWAN / SD-WAN design. The Cisco ISR 4K and ASR 1K routers offer a variety of performance and price points. You do need to pick the right one, considering both the packet forwarding throughput and IPsec throughput, and what other loads you might be imposing on the router. This can be a bit of an art. You need to factor in other features you use that might load up a router (NAT, for instance).
You also need to allow for about 2x to 4x growth in traffic as well.
You DO have a real capacity planning process, don’t you? That is, tracking actual vs. projected traffic for about the last 3+ years. My experience is that most sites do not have solid capacity planning and trending information, including historical data. I’ll spare you why I think that is the case; some of it is tools, some of it is Ops staff ensuring all devices and interfaces are monitored, and some of it is methodology and capturing / improving your own forecasts.
<<Must Stay on Main Topic…>>
The Cisco licensing approach with the ISR 4K models allow some flexibility and is an interesting approach. If you get the base performance right, then buying a license allows doubling the throughput in some ISR 4K models, or different increases in the ASR 1K series (model-specific, see the datasheets for details). Some ASR models’ throughput is also capped by the CPU choice. For IWAN, you need to also keep an eye on the IPsec throughput, which will likely push you to a larger router model.
Getting practical about throughput numbers
Forwarding performance is what I like to call a two-way number. It is the total workload a device can forward. Or as some would say, it is the sum of the “gazintas” (“goes into’s” with a NYC accent).
Question: So if you have a router rated at 1 Gbps forwarding performance, can it keep a 1 Gbps Internet link full?
Answer: NO. If the outbound traffic, which came in from some or all the other interfaces, is 1 Gbps, and the inbound is 1 Gbps. That’s 1 + 1 = 2 Gbps, which is more than the device is rated for.
Question: So, can I do 500 Mbps routing between LAN ports, plus 500 Mbps each way on the Internet link?
Answer: NO. That’s 500 in LAN1 + 500 in LAN2 + 500 in Internet = 1500 Mbps, > 1 Gbps. Buy a router rated at 2 Gbps (or bigger, to allow for traffic growth, etc.).
This also comes up when designing for a large or shared WAN service with firewall. Prices (Cisco or Palo Alto) start to get “interesting” when you’re looking at multiples of 10 Gbps throughput, as in “full college education” or “major luxury auto” types of list prices.
With firewalls, you generally have more factors to consider: tiers of services you might or might not license or use. The more you have the firewall doing, the lower the performance, usually. If you’ve been buying firewalls for a while, you expect that. Historically, CheckPoint firewalls had a reputation for bogging down if you turned all the features on.
The reason for the performance drop-off is that a general-purpose CPU has to do most of the work. The nature of the firewall’s traffic analysis is generally not amenable to offload to a specialized chipset and code.
I’ll refer you to Table 2 in the “Cisco Next Gen Firewall” datasheet for an example. I was a bit surprised on how hard it was to find this from the Cisco NGFW glossy product pages, but Google Search for “Cisco NGFW datasheet” worked.
Do your homework, check the specs, and maybe divide the performance spec by 2x for some headroom / safety margin.
NEXT Page: Virtual devices