I made a few changes to the rule. I use http instead of scp
and I assign a
weigh of 90 to http and 15 to ftp.
I have two http sessions and two ftp sessions running at
the same time
downloading a 100MB file size. I started two http
sessions first. I started
two FTP sessions immediately after that. I am getting
about 1.5MB/sec
for each http download sessions while I am getting about
1.7MB/sec
for one FTP session and 1.2MB/sec for the other ftp
session.
Obviously, the load is not not equally distributed. I
have weigh 90
to http and 15 to ftp but somehow ftp is getting just as
much traffics
as http. Why?
Warrington Bruce - bwarri <bruce.warrington ACXIOM.COM> wrote:
I think part of your results are just due to your test lab
setup. First I'd say try to force the NIC and switch
settings down to 10Mb full duplex for that small of a
throughput test, so you're total traffic exceeds the
available bandwidth, and see if QOS doesn't do more of what
you expect it to. You might also try comparing an FTP
transfer to an HTTP transfer, since scp is known to throttle
itself due to it's CPU based encryption, and is more likely
to skew results if either the client or the server has any
CPU change in load during your test.
Just a guess when trying to lab test something on a small
scale like that - you may not be getting the same results
you'd get if it was running a full load in production.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of cisco4ng
Sent: Tuesday, September 04, 2007 10:49
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Question about Floodgate
Hi,
Yes, I checeked QoS at the network topology. I have
everything set to 100Mbps
because everything is connected to a Cisco 2950 Catalyst
switch. I have this
setup in my lab environment.
I still have issues. Please help. Thanks.
Pedro Boavida
wrote:
Hi,
Did you checked wich interface has QoS at the network
topology ?
Best regards,
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of cisco4ng
Sent: terça-feira, 4 de Setembro de 2007 15:59
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Question about Floodgate
I have a question for checkpoint flood-gate gurus in the
forum.
I have NG AI R55 with HFA_20 running on SPLAT enforcement
module. This module is being managed from a Provider-1 NG AI
R55 with HFA_20. I have single firewall at the moment but I
configure ClusterXL on this firewall because I will add a
second firewall for Active/Active very soon. Everything is
working so far.
I also have Floodgate on the SPLAT enforcement. I have
3 floodgate rules (including the default rule):
1) Any Any ssh weigh_70
2) Any Any FTP weigh_15
3) Any Any any weigh_10
I have this setup "per rule" ONLY.
All interfaces on the SPLAT box is Fast-Ethernet
full-duplex.
I open three Secure Copy (SCP) sessions from a host behind
the firewall to three different SSH servers outside the
firewall (I control those ssh servers) and one FTP session
from the same host to an external FTP server (I control this
FTP server as well).
I started downloading via scp from the ssh sessions a 100MB
file size. All three scp sessions, I am getting about 16Mbps
download each. Immediately after starting the secure copy
session, I started the FTP session. Much to my amazement, I
am getting about 20Mbps download with FTP. At the same time,
I am seeing my secure copy session going down from 16mbps to
10mbps on all three of them.
With Floodgate, I thought my ssh traffics are getting a much
higher priority than FTP traffics. If that is true, then how
come my FTP traffics throughput is higher than my ssh
traffics,and that when FTP is going on, it takes away
bandwith from my SSH traffics.
Can some explain this? Thanks.
---------------------------------
Be a better Heartthrob. Get better relationship answers from
someone who knows.
Yahoo! Answers - Check it out.
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Choose the right car based on your needs. Check out Yahoo!
Autos new Car Finder tool.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
************************************************************
*************
The information contained in this communication is
confidential, is
intended only for the use of the recipient named above, and
may be
legally privileged.
If the reader of this message is not the intended recipient,
you are
hereby notified that any dissemination, distribution or
copying of this
communication is strictly prohibited.
If you have received this communication in error, please
resend this
communication to the sender and delete the original message
or any copy
of it from your computer system.
Thank you.
************************************************************
*************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Take the Internet to Go: Yahoo!Go puts the Internet in your
pocket: mail, news, photos & more.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
On Tue, 4 Sep 2007, cisco4ng wrote:
> I made a few changes to the rule. I use http instead
of scp and I assign a
> weigh of 90 to http and 15 to ftp.
>
> I have two http sessions and two ftp sessions running
at the same time
> downloading a 100MB file size. I started two http
sessions first. I started
> two FTP sessions immediately after that. I am getting
about 1.5MB/sec
> for each http download sessions while I am getting
about 1.7MB/sec
> for one FTP session and 1.2MB/sec for the other ftp
session.
>
> Obviously, the load is not not equally distributed. I
have weigh 90
> to http and 15 to ftp but somehow ftp is getting just
as much traffics
> as http. Why?
Some things to considere:
The timing within FloodGate is based on a non realtime OS.
So at least
some accuracy is lost there.
Then it is my understanding that traffic shaping is done
only by holding
on to the packets. Where specialised devices do a lot more
tricks to work
their magic.
As we also do PacketShapers and in my view FloodGate lacks a
lot of the
steering and accuracy to control sessions that other
dedicated solutions
have. Unless the user really, really, really wants it we
don't sell it.
It might work better if you test it with more real life like
numbers like
a few dozen sessions for each.
Hugo.
--
hvdkooijvanderkooij.org http://hugo.vanderkooij.
org/
This message is using 100% recycled electrons.
Some men see computers as they are and say
"Windows"
I use computers with Linux and say "Why
Windows?"
(Thanks JFK, for this quote of George Bernard Shaw.)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
