Router Performance

mikem2temikem2te Posts: 407Member
Hi guys,

I have been benchmarking one of my routers when using various security features. Might be of interest to some of you.

I have put the results here-

A brief history of...: 2801 Router Performance
Blog : http://www.caerffili.co.uk/

Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route

Comments

  • tierstentiersten Posts: 4,505Member
    Interesting to see it all laid out like that. Thanks for sharing!

    I guess the moral of the story is that you should buy an IPS box or NM and an ASA if you want firewall :)
  • APAAPA Posts: 959Member
    Nice work :)

    Tiersten...I believe you hit the nail smack bang on the head... ;)

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • mikem2temikem2te Posts: 407Member
    tiersten wrote: »
    Interesting to see it all laid out like that. Thanks for sharing!

    I guess the moral of the story is that you should buy an IPS box or NM and an ASA if you want firewall :)
    Agreed.

    I'm happy with the router though as it'll support any internet connection I could possibly afford with a CBAC or Zone based firewall. No IPS thoughicon_cry.gif
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • Forsaken_GAForsaken_GA Posts: 4,024Member
    tiersten wrote: »
    Interesting to see it all laid out like that. Thanks for sharing!

    I guess the moral of the story is that you should buy an IPS box or NM and an ASA if you want firewall :)

    Or deploy an OpenBSD box in the role ;)
  • Met44Met44 Posts: 194Member
    Good study. It would be interesting if you extended this into similar comparisons of some of the suggestions here, factoring in cost vs benefit. Wouldn't be too difficult to set up an OpenBSD/Debian box with similar rules.
  • GT-RobGT-Rob Posts: 1,090Member
    Very cool! Ive been wanting to do a couple of tests to prove a couple of 'theories' I have. Very interesting to see the NAT drop on TCP connections, I would have never guessed that kind of drop.

    Id like to see the impact of a 50 line ACL as well in a couple of different scenarios. Maybe the impact of policy routing too. Either way, cool stuff!
  • mikem2temikem2te Posts: 407Member
    GT-Rob wrote: »
    Very cool! Ive been wanting to do a couple of tests to prove a couple of 'theories' I have. Very interesting to see the NAT drop on TCP connections, I would have never guessed that kind of drop.

    Id like to see the impact of a 50 line ACL as well in a couple of different scenarios. Maybe the impact of policy routing too. Either way, cool stuff!
    Strange NAT results, I may repeat that one. Looking at the tests I performed, one test I didn't do is a firewall combined with NAT test. I'm guessing (hopeing) the combined firewall with NAT will not show much additional performance drop.
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • mikem2temikem2te Posts: 407Member
    Met44 wrote: »
    Good study. It would be interesting if you extended this into similar comparisons of some of the suggestions here, factoring in cost vs benefit. Wouldn't be too difficult to set up an OpenBSD/Debian box with similar rules.

    No, don't suggest that icon_wink.gif. I'm supposed to be studying Sharepoint at the moment, not messing around with Cisco.

    One good possibility would be a mini-itx atom board combined with a small SSD / Compact flash for the OS with Untangle installed. Any donations, purely in the interest of research of courseicon_lol.gif
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • tierstentiersten Posts: 4,505Member
    Ideally Cisco should publish these kinds of numbers but there would be many variables. The installed IOS feature set, version, configuration, amount of RAM etc...

    It'd make my life easier anyway when deciding what to buy if I could just look at the table and go oh okay. a 2801 isn't enough since I want 5MB/s throughput with ZBF but a 2811 would be okay since it can do <blah>. At the moment I look at the router performance datasheet with some rough rule of thumbs like halve listed performance for each enabled feature and then harrass my Cisco rep :)
  • tierstentiersten Posts: 4,505Member
    mikem2te wrote: »
    One good possibility would be a mini-itx atom board combined with a small SSD / Compact flash for the OS with Untangle installed. Any donations, purely in the interest of research of courseicon_lol.gif
    The ASA5505 is a tiny PC with a slow as molasses AMD Geode CPU so an Atom board would blow it out of the water. They use nearly the same hardware for the low end WLC as well.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    Or deploy an OpenBSD box in the role ;)

    Nice...

    I like my Astaro ASG that I just built recently. Works like a charm and is free for home users.
    Currently working on: Linux and Python
  • mikem2temikem2te Posts: 407Member
    mikem2te wrote: »
    Hi guys,

    I have been benchmarking one of my routers when using various security features. Might be of interest to some of you.

    I have put the results here-

    A brief history of...: 2801 Router Performance

    I'm going to do a bit more perf testing over the next couple of weeks. I have an 877 & 2651XM to test next. I did 8 separate tests on the 2801 but I'm not going to do that many on the other routers so I'm trying to come up with a list of about 4 tests. At the moment I have the following-

    • No Security - just routing.
    • NAT - Typical overloaded PAT implementation.
    • NAT & Zone Based Firewall as configured by the ‘Cisco Configuration Professional’ tool.
    • NAT & Zone Based Firewall with HTTP Inspection disabled.

    There are so many combinations (cbac, zbf, acl, nat, no nat etc).

    So anyone got any thoughts on what tests to include or exclude from typical configurations in your experience?

    Thanks all.
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
Sign In or Register to comment.