[121053] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Fri Jan 8 19:52:54 2010
Date: Fri, 08 Jan 2010 16:52:01 -0800
From: Joel Jaeggli <joelja@bogus.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <5CD643B0-68FE-44DD-8345-549F72C19E9A@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dobbins, Roland wrote:
> On Jan 8, 2010, at 9:02 PM, bill from home wrote:
>
>> And maybe there is no way to tell, but I feel I need to ask the question.
>
> Situationally-dependent; the only way to really tell, not just theorize, is to test the firewall to destruction during a maintenance window (or one like it, in the lab).
see my post in the subject, a reasonably complete performance report for
the device is a useful place to start. if you know what the maximum
session rate and state table size for the device are, you have a pretty
good idea at what rate of state instantiation it will break. rather
frequently it's more than two orders of magnitude lower than the peak
forwarding rate.
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
>
>
>
>
