Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

F5 data center firewall aces performance test

David Newman | July 23, 2013
BIG-IP 10200v combines firewall, load balancer, DoS protection in one fast, scalable appliance.

In the capacity tests, we configured Spirent Avalanche never to request one web object per connection and then do nothing for the rest of the test. Since Avalanche doesn't age out TCP connections by default, we were able to build up progressively larger connection counts, well into the tens of millions.

F5 claims the BIG-IP 10000v supports 36 million concurrent connections. We validated that claim, sustaining 36,000,291 unique TCP connections for a 60-second period.

In the rate tests, we used HTTP 1.0 to ensure each new Web request would force a new TCP connection. Here again, F5 exceeded its rated capacity of 850,000 connections per second. In our tests, the BIG-IP sustained an average of 869,183 new connections per second for a 60-second period.

We did find a couple of fit and finish issues in the F5 firewall, both minor. The firewall failed to process a minuscule percentage of TCP connections on the order of dozens to hundreds of failures out of millions to tens of millions of transactions. We'd configured Spirent Avalanche to abort any transaction taking more than 1 second, which is an eternity at 10G Ethernet rates. For a tiny number of attempts, TCP handshakes never completed. (All tests ran without errors between a pair of Avalanche C100 appliances.)

In an even smaller number of cases, the F5 firewall transmitted an extra TCP reset (RST) packet during connection shutdown. This is odd considering we'd configured Spirent Avalanche to close connections with TCP finished (FIN) and not RST flags. F5's explanation is that connection state between the firewall's client and server sides wasn't synchronized for a tiny number of connections, and in these cases the firewall sent a gratuitous RST packet. (Older versions of Windows Windows XP and earlier, and Windows Server 2003 and earlier tear down TCP connections with a RST rather than a FIN packet. This saves a little memory on the client, but it's a terrible idea for intermediate devices like firewalls, since they will continue to try to track connection state). Again, though, we consider both issues minor annoyances.

Protecting a data center's servers when rates climb into the dozens of gigabits is a significant challenge. With its high-speed rates, its high scalability, and its server protection features, F5's BIG-IP 10200v with the Advanced Firewall Manager (AFM) package is up to that challenge.

Thanks
Network World gratefully acknowledges the assistance of Spirent Communications, which supplied its Spirent Avalanche C100 traffic appliances. Spirent's Michelle Rhines and Jeff Brown also provided engineering support for this project.

Newman is a member of the Network World Lab Alliance and president of Network Test, an independent test lab and engineering services consultancy. He can be reached at dnewman@networktest.com.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.