?
Solved

T1 to Firewall with VPN. Help me understand better.

Posted on 2004-09-20
9
Medium Priority
?
230 Views
Last Modified: 2010-03-17
Ok I'm a little bit confused.


T1 is 1.54Mbps a sec. (Captial Mbps is what? MegaBits per sec?)  So technically if I purchase a Firewall with 1.54Mbps max throughput it should handle a T1 connection fine. No?

So what I'm trying to figure out, is when do I need to go to a bigger firewall.

Example:

Client of mine has a firewall with max 150MBps, well if a T1 is 1.54, then 150 seems a lot.  Why would they need to go up to say, 200, or 275MBps.  Or why even 1.54Gbps, which I've seen on some high end ones.

Is there a way I can determine easliy?

Then there is the matter of VPN.

This client example has one main location with a T1, that firewall is only 150Mbps Max Througput and 40MBps for VPN.  So I'm thinking, ok 150 Max for the T1, that's good, and all 8 locations can get 40Mpbs max.  Of course now I'm think that adds up to 320Mbps, but they dont need all 40Mbps, if a T1 again is 1.54Mbps.    So if all 8 locations are using the firewall evenly plus the main office tha's 17.11kbps each?  

I'm just a bit confused.

So how do I properly determine what throughput a client needs if they are on a T1?

What would you recommend for 8 locations and a main office to be on VPN.  All internet, email, domain login goes through main office out T1.

Even now the VPN site takes like 8min to logon to the domain, it's awful.
0
Comment
Question by:fredmastro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12112020
It's not always just a question of throughput. It's a matter of CPU and memory on the firewalls, and licensing issues, and other capabilities.
Another consideration, especially for larger companies is the use of DMZ's, or protected networks that are semi-publicly accessible. Perhaps a web server farm that needs high-speed access to back-end database servers. Even though they may have an egress port only capable of 1.5Mbps, the interaction between multiple LAN interfaces may require Gigabit capabilities through the firewall. (Yes, that is Megabits per second, not MegaBytes)

Take for argument example, the Cisco PIX series. Starting with the paperback book sized little 501, the tech specs say it will handle 60Mbps cleartext throughput, 7500 concurrent connections, and 4.5 Mbps throughput over VPN with 128-bit AES encryption. Quite impressive for a box designed for SOHO (Small Office, Home Office)<10 users. Licensing is in three modes -10, 50 or unlimited users. Limitation: no capability for DMZ interfaces. It has inside and outside only. No failover capability. Limited VPN connections (10)

Next, the big boy Enterprise version of the PIX line is the 535 with up to 1.7Gbps, 500,000 connections, 256-bit AES VPN throughput up to 425Mbps, and 2000 simultaneous VPN tunnels. When you need Multiple DMZ interfaces all at gigabit speed, this the workhorse.

Many firewalls try to combine the firewall functions with packet filtering, or AntiVirus, web content control, VPN, etc. The bottom line is to look for the features that you need, at the price point that you can afford.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 12123083

So then..

A firewall witha max 150Mbps (40Mbps VPN) at a main location with a T1 connection, and say 9 remote sites with Cable/DSL connection wanting to use VPN for Internet and Network Filesharing.

Or your opinion would be or not be sufficent?

How should I properly figure out the proper Mbps I'm going to need at the main location?
Do I need to go up to a 250Mbps and 95Mbps VPN?  I dont know.

I'll give you the points, lets just talk over this a little bit.  I really would like to know if it's not adequte.
0
 
LVL 2

Expert Comment

by:doswell
ID: 12170621
If they're being restricted by their connection and are looking at uping the speed to accomidate the over load, a better solution might be (for a windows enviro) is to put DCs into each branch office. This will elliviate the logon problem, and reduce the congestion over the links. It would also likely work out to be cheaper then getting faster lines in.  
For filesharing a local file server with replication might be more beneficial aswell.
This can still be managed centrally at the main office.

The other question is how much traffic will there be?  Will all the offices be trasmitting/receiving constatntly at the same time ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12171043
You're still getting wrapped up trying to find some magic mathematic formula and there isn't one.
Defining what is sufficient depends on defining too many other factors.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280413
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12537523
As an interested observer and subscriber to this thread, I believe lrmoore answered it quite thoroughly...  Just an observation..

FE
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question