Firewall throughput

Question

I saw on multiple site vendor sites about firewall throughput in 1518/512/64 bytes UDP packet and each result from 1518/512/64 bytes UDP packet is 1xxx/smaler than 1xxx/significantly smaller than 1xxx.

Can anyone let me know why this is the case? The only theory that I can come up with is that in one physical connection (i.e. 1Gb), it can fit up to xx amount of 1518 UDP packet and therefore, the number of 64 UDP packets are larger than 1518 UDP packets. Thus, firewall need to inspect more packets in that physical connection and that explain the throughput (Mbps) is smaller in 64 bytes. Is my observation correct?

Also, if that is the case, then what is the correct calculation or if someone can point me to any website that explain this type of throughput.

(edit) Take this website for example, http://www.zyxel.com/us/en/products_services/zywall_1100_310_110.shtml?t=p Zywall 1100/310/110 stated their firewall throughput as 6000/5000/1600 Mbps on 1518/512/64 bytes UDP packet. ()

Thank you

I really have no idea what you are talking about. Can you include a link to whatever documentation/articles/whatever you are referencing? — Zoredache, Mar 13 '15 at 18:27

score 1 · Answer 1 · answered Mar 13 '15 at 18:27

1

Packet inspection is much more affected by the packets per second than bandwidth. This is caused by the fact that it is much more CPU intensive to parse a packet, than to skip the payload. The metric used to measure this is called 'packets per second' or PPS.

Some equipments have specialized integrated circuits called ASIC that can offload this processing from the main CPU.

answered Mar 13 '15 at 18:27

Mircea Vutcovici

17,619
4
56
83

I see. Is there a correlation between bandwidth and pps? Correct me if I am wrong, is it something like this? let's say in 1 Gbps physical connection, the maximum packets per 64 bytes is 1,953,125 packets and 82,345 packets per 512 bytes. So, in this case, there are more packets to inspect per second for a 64 byte packet. – user79392 Mar 13 '15 at 19:07
Bandwidth will limit theoretical value of max number of packets per second. The number of PPS will be lower as it will be affected by latencies for storing and forwarding the packet, jitter(if your source is not perfectly in sync with the switch, some packets will get discarded or queued). – Mircea Vutcovici Mar 13 '15 at 19:49

Firewall throughput

1 Answers1