10.2.10. (Reference) Firewall performance measurement result

  • The resultant values of firewall (Brocade 5600 vRouter) performance measurement conducted by NTT Communications are as follows.

  • The maximum value for each measurement item was measured. That is, simultaneous measurements of the maximum values of all performance items were not conducted.

  • As for configuration, a redundant configuration was employed.

  • The log option was not used. (Reference: Points to note for log acquisition from Brocade )

  • For the measurement, the number of rules of the firewall was three: 0, 50, and 100.

  • The verification result here is to be used just for reference. Please note that assurance of the performance is not intended with the result.

10.2.10.1. Non-encryption communication test

Configuration diagram

Measurement result

Measurement item

Measurement condition

Measurement result

 
    4.2R1S1 (4CPU-16GB-8IF) 4.2R1S1 (2CPU-8GB-4IF)

L4 UDP throughput

Protocol : UDP
Data Size : 1,522 bytes
NAT: Yes
4.5 Gbps (The number of rules:0)
4.5 Gbps (The number of rules:50)
4.0 Gbps (The number of rules:100)
4.5 Gbps (The number of rules:0)
4.5 Gbps (The number of rules:50)
4.0 Gbps (The number of rules:100)

L4 UDP Latency

Protocol : UDP
Data Size : 1,522 bytes
NAT: Yes
6.4 ms (The number of rules:0)
6.3 ms (The number of rules:50)
6.7 ms (The number of rules:100)
6.4 ms (The number of rules:0)
6.4 ms (The number of rules:50)
6.7 ms (The number of rules:100)

Number of simultaneous TCP connections in terms of L4

Protocol : HTTP
Number of new connections: 1,500 cps
Multiplicity: Triple
Data Size : 64 bytes
NAT: Yes
56,000 Connection (The number of rules:0)
56,000 Connection (ルール数:The number of rules)
56,000 Connection (The number of rules:100)
56,000 Connection (The number of rules:0)
56,000 Connection (ルール数:The number of rules)
43,000 Connection (The number of rules:100)

Number of new TCP connections in terms of L4

Protocol : HTTP
Number of new connections: 300 cps
Multiplicity: Tenfold
Data Size : 64 bytes
NAT: Yes
2,900 cps (The number of rules:0)
2,900 cps (The number of rules:50)
2,900 cps (The number of rules:100)
2,400 cps (The number of rules:0)
2,400 cps (The number of rules:50)
2,400 cps (The number of rules:100)

10.2.10.2. Encryption communication test

  • The test environment and parameters conform to Operation-confirmed setting example: IPsec inter-site tunnel setting

  • In the configuration above, the site of one side was built up with a test machine, and the number of sites was changed in the range from 1 to 64, for measurements.

  • The measurement result shows that a higher plan with more number of CPUs presents higher IPsec throughput.

Measurement result

Measurement item

Measurement condition

Measurement result

 
    4.2R1S1 (4CPU-16GB-8IF) 4.2R1S1 (2CPU-8GB-4IF)

IPSec throughput

1 site (*1)
Protocol:IKEv1/ESP
NAT: Yes
0.4 Gbps (The number of rules:0)
0.4 Gbps (The number of rules:50)
0.4 Gbps (The number of rules:100)
0.4 Gbps (The number of rules:0)
0.4 Gbps (The number of rules:50)
0.4 Gbps (The number of rules:100)
 
16 sites
Protocol:IKEv1/ESP
NAT: Yes
1.2 Gbps (The number of rules:0)
1.1 Gbps (The number of rules:50)
1.0 Gbps (The number of rules:100)
0.9 Gbps (The number of rules:0)
0.8 Gbps (The number of rules:50)
0.8 Gbps (The number of rules:100)
 
32 sites
Protocol:IKEv1/ESP
NAT: Yes
1.2 Gbps (The number of rules:0)
1.1 Gbps (The number of rules:50)
1.1 Gbps (The number of rules:100)
0.9 Gbps (The number of rules:0)
0.9 Gbps (The number of rules:50)
0.8 Gbps (The number of rules:100)
 
48 sites
Protocol:IKEv1/ESP
NAT: Yes
1.1 Gbps (The number of rules:0)
1.1 Gbps (The number of rules:50)
1.1 Gbps (The number of rules:100)
0.9 Gbps (The number of rules:0)
0.8 Gbps (The number of rules:50)
0.8 Gbps (The number of rules:100)
 
64 sites
Protocol:IKEv1/ESP
NAT: Yes
1.2 Gbps (The number of rules:0)
1.1 Gbps (The number of rules:50)
1.1 Gbps (The number of rules:100)
0.9 Gbps (The number of rules:0)
0.8 Gbps (The number of rules:50)
0.8 Gbps (The number of rules:100)

Note

  • (*1) For the machine used this time, application of up to about 0.4 Gbps IPsec traffic was possible per site. Note (for reference) that the test result regarding one site is based on the upper limit of the used test machine.