Re: [fw-wiz] PIX-515 acceptable CPU usage?

From: Brian Ford (brford_at_cisco.com)
Date: 09/03/04

  • Next message: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"
    To: "Adam Greene" <maillist@webjogger.net>
    Date: Fri, 03 Sep 2004 16:58:35 -0400
    
    

    Adam,

    You're definitely OK for now. Seems like at worst you'll see 20-25% CPU
    (10% base and 10% if you had 5 interfaces).

    You probably want to try and test a number of use cases including DoS'ing
    on of the less trusted interfaces or (and) establishing a couple of VPN or
    SSH sessions to the PIX and watching what happens.

    Chances are (without looking at your config or knowing how you use the PIX)
    you'll probably spike up to 60% when bad things happen.

    Liberty for All,

    Brian

    At 02:22 PM 9/3/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
    >From: "Adam Greene" <maillist@webjogger.net>
    >To: <firewall-wizards@honor.icsalabs.com>
    >Date: Fri, 3 Sep 2004 11:47:17 -0400
    >Subject: [fw-wiz] PIX-515 acceptable CPU usage?
    >
    >Hi --
    >
    >We're deploying OSPF on our network for the first time, and it looks like it
    >will be convenient to enable OSPF on our PIX-515-UR's as well (running 6.3.3
    >OS). The problem
    >is, the moment I enable OSPF on the pixes, CPU usage on them shoots up from
    >0-1% to 7-10% (sh cpu usage). Each interface I add to area 0 appears to add
    >1-2% to CPU usage as well.
    >
    >I've tried googling for acceptable CPU usage levels on the PIX, but came up
    >dry. Does anyone have a benchmark they can refer me to?
    >
    >We're going to be passing about 5 Mbps through these pixes in the short term
    >(may grow to 10Mbps or higher). It would be nice to know that ongoing 15%
    >CPU usage is not going to cause noticeable performance degradation to our
    >users (we are broadband ISP).
    >
    >Any input anyone may have is very welcome. Thanks for your help.
    >
    >--Adam
    >
    >P.S. we're running 6.3.3 on the pixes

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Robert McIntosh: "Re: [fw-wiz] Cisco PIX 501 Port Redirection Problem"