Tests for maximal network speed in dependence on number of filters and TCP connections through Bandwidth Management and Firewall (BMF) with enabled State Firewall, NAT and configured filters.

BMF – Hardware
Processor	Intel Core Duo 2 x 2.13Ghz
Motherboard	Intel DG965WH Westchester
RAM	1GB
NIC 1	Intel PRO/1000 PT Server Adapter, it is interface to client
NIC 2	Intel 82566DC Gigabit Adapter – Built-in on motherboard, it is interface to server

BMF – Software

Windows 7 32-bit, Service Pack 1

Build-in router – routing table

BMF 2.6.3

BMF Configuration is on NIC 2

This test shows high speed packet filtering and power of TCP inspection and NAT implemented in BMF.
Maximal power of BMF significantly depends on used hardware and used testing
machine is middle-power hardware at the present time. If you consider to use
more efficient hardware you can calculate with higher data flows. In following
tables and graphs are declared number of filters. Typical BMF configuration for
internet service provider contains one filter for every customer on the network.

The test was done on three machines connected with two ethernet cables. In
the middle machine is installed BMF.  First edge W2K3 machine runs testing
application configured like server and second edge W2K3 machine runs testing
application configured like client configured with many IP addresses to open
predetermined number of TCP connections to the server. Every opened TCP
connection transfers maximum possible amount of data in both directions through
middle machine Windows 7 32-bit
configured like router with help of built-in routing table, no routing software
is used. Measurement was done with built-in tool Performance Monitor. On
the bottom of perfmon window is described counter type displayed on the graphs.
In case of speed there is also “scale”. Number on vertical y-axis must be
divided by scale to retrieve measured value in Bytes/sec. Displayed average measured value is already
calculated and displayed under graph in Bytes/sec units.
Every network software which does packet filtering has impact to overall
network speed and processor load. Three important factors effects on results of
measurement: number of
filters, enabled or disabled TCP inspection/NAT and bandwidth of network.
BMF filter corresponds to one or more computers in real network. Every BMF filter
can permit from 1 to X TCP connections by it’s configuration. In our test there
was used filtering by client IP address.

Summary of test results:

Number of TCP connections	Number of filters	NAT	TCP inspection	Processor0 [%]	Processors1 [%]	Speed [Mbit/s]
1000	BMF is not installed					1568
1000	0	x	x	99	99	1040
1000	250			97	91	944
1000	250	x	x	97	93	712
1000	250		x	97	90	717
1000	500			98	99	700
1000	500	x	x	99	98	583
1000	500		x	99	98	632
Number of TCP connections	Number of filters	NAT	TCP inspection	Processor0 [%]	Processors1 [%]	Speed [Mbit/s]
5000	BMF is not installed			60	61	1350
5000	500			99	95	567
5000	0	x	x	96	97	424
5000	500	x	x	99	100	240
5000	500		x	100	97	244
Number of TCP connections	Number of filters	NAT	TCP inspection	Processor0 [%]	Processors1 [%]	Speed [Mbit/s]
10000	BMF is not installed			50	51	905
10000	500			98	94	544
10000	0	x	x	100	98	112
10000	500	x	x	100	97	90
10000	500		x	100	96	90

Comment:
Real maximal
number of filters in configuration is depending on power of CPU, network cards
hardware and flow of data on the network. With our hardware configuration we reached limit
about 500 filters on
Gigabit network. BMF is able to process also higher number of filters on tested
machine but with lower network speed. For example if BMF is used only on Fast ehernet
(100Mbit) then number of filters can be higher. To reach higher number of filters on Gigabit network with
contemporary BMF version there should be quicker CPU. CPU must to search right filter for every packet so with higher speed there is
needed higher number of searches. 

Graphs:

When CPU load is very high, perfmon does not draw continuous line for
Bytes/sec graphs. See “Average” value to retrieve result.

Following results are measured without BMF installed. Following graphs demonstrates power of Windows
Vista built-in router. With increasing number of TCP connections there was
significant decreasing of network speed. Test results are also influenced by two
edge machines.

TCP connections: 1000
Average speed: 1.57Gbit
BMF is not installed.

TCP connections: 5000
Average speed: 1.35Gbit
BMF is not installed.

TCP connections: 10000
Average speed: 905Gbit
BMF is not installed.

————————————————————————————————————————
Results for 1000 TCP connections and BMF configuration: TCP
inspection, NAT, 500 filters:

TCP connections: 1000
Average speed: 700Mbit
BMF configuration: 500 filters with unlimited bandwidth

TCP connections: 1000
Average speed: 1000Mbit
BMF configuration: Firewall NAT

  

TCP connections: 1000
Average speed: 632Mbit
BMF configuration: Firewall TCP inspection and 500 filters with unlimited
bandwidth

  

TCP connections: 1000
Average speed: 583Mbit
BMF configuration: Firewall NAT, 500 filters with unlimited bandwidth

————————————————————————————————————————
Results for 5000 TCP connections and BMF configuration: TCP
inspection, NAT, 500 filters:

TCP connections: 5000
Average speed: 567Mbit
BMF configuration: 500 filters with unlimited bandwidth

 

TCP connections: 5000
Average speed: 424Mbit
BMF configuration: Firewall NAT

TCP connections: 5000
Average speed: 244Mbit
BMF configuration: Firewall TCP inspection and 500 filters with unlimited
bandwidth
(On the picture is not visible large part of graph due to very high CPU load.
See “Average” value)

 

TCP connections: 5000
Average speed: 240Mbit
BMF configuration: NAT and 500 filters with unlimited
bandwidth
(On the picture is not visible large part of graph due to very high CPU load.
See “Average” value)

————————————————————————————————————————
Results for 10000 TCP connections and BMF configuration: TCP
inspection, NAT, 500 filters:

TCP connections: 10000
Average speed: 544Mbit
BMF configuration: 500 filters with unlimited bandwidth

TCP connections: 10000
Average speed: 112Mbit
BMF configuration: Firewall NAT

TCP connections: 10000
Average speed: 90Mbit
BMF configuration: Firewall TCP inspection and 500 filters with unlimited
bandwidth

 

TCP connections: 10000
Average speed: 90Mbit
BMF configuration: NAT and 500 filters with unlimited
bandwidth