There's no solid yes or no answer for this type of question. Too many factors comes into play such as;
- the size of the firewall
- expect size of the bgp table you plan to receive ( full, partial, default only, etc....)
- the number of ebgp peers
- the number of ibgp peers
- how stable is your network
- how many prefixes are carried via your provider
- if more than 2 bgp-peers do you have any Equal Cost Multi-Path concerns
- the number of other dynamic routing protocols & neighbors ( eigrp/ibgp/rip/ospf/ etc )
- any active UTM features that you may have enabled ( AS/AV, webcontent, DLP, etc....)
- existing vpn traffic performance or concern ( ipsec and/or ssl )
- do you have a considerable amount of local generated traffic that will spike CPU ( ldap queries or other lookups )
- the size of your memory and cpu
- are you running into critical high cpu/memory performance ( now )
To give you an example for a typical day of BGP updates, I've graph one single day & the total number of updates, withdraws, and path changes or other path attributes, and total these over each hourly period.
YMMV depending on the bgp peering your doing and the upstream provider and how stable there links are with other carriers
Most firewalls have way less available memory and uses more memory for other tasks and functions outside of dynamic routing.
They also typically have a smaller CPU footprint for similar priced routed. So to get a equal performance, and router like function, you will mostly likely need a bigger capacity memory/cpu model.
Routers are good one thing only ; "Routing"
Firewall are good at being a ; "Firewall"
for some good future references & for reviewing
http://bgp.he.net/report/netstats
http://www.cymru.com/BGP/prefix_delta.html
http://www.cymru.com/BGP/bgp_updates.html
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment