3. Generating Traffic to a Firewall

Goal: Setup and run traffic to test a firewall.

Return to LANforge-FIRE Cookbook

In this test scenario, LANforge-FIRE is used to generate traffic to a firewall DUT in order to measure the following benchmarks:
1. UDP Throughput - Maximum payload bits per second with a UDP traffic flow.
1. TCP Throughput - Maximum payload bits per second with a TCP traffic flow.
1. TCP Concurrent Connections - Maximum number of simultaneous TCP connections.
1. TCP Connections per Second - Maximum number of established TCP connections per second.

NOTE: If you are attempting to run this test scenario, you will need a LANforge license key that enables the correct number of ports and multi-connections.
Please contact us at support@candelatech.com for assistance.

1. The UDP Throughput test will use a scripted Layer-3 connection to vary the rate and payload size to determine the bi-directional UDP throughput of the DUT across the scripted parameters.

A: On the Port Manager tab, setup the LANforge ports with valid IP addresses.
B: On the Layer-3 tab, create a UDP connection. • Set Endpoint Side-A to use the DUT WAN port and Endpoint Side-B to use the DUT LAN port, then select CX Type LANforge UDP then select Apply.
C: Select the Script button to setup the scripting parameters. • Setup the script to iterate over the rates and payload sizes to be tested. • For more information on this step, see the LANforge FIRE Cookbook example: Scripted Layer-3 Test
D: Highlight the connection and select the Start button.
E: The final test report shows the results of the test run. Here we can see that the DUT has the best bi-directional throughput with 1460Byte payloads at 24.9Mbps. Full script report for the UDP test.

2. The TCP Throughput test will use a scripted Layer-3 connection to vary the rate and payload size to determine the bi-directional TCP throughput of the DUT across the scripted parameters.

A: Highlight, then modify the previous connection, change the Name then select CX Type LANforge TCP, then Apply to create the new connection.
B: Select the Script button to setup the scripting parameters. • Setup the script to iterate over the rates and payload sizes to be tested. • For more information on this step, see the LANforge FIRE Cookbook example: Scripted Layer-3 Test
C: Highlight the connection and select the Start button.
D: The final test report shows the results of the test run. Here we can see that the DUT has the best bi-directional throughput at with 1472Byte payloads at 25.3Mbps. Full script report for the TCP test.

3. The TCP Concurrent Connections test will measure the maximum number of simultaneous TCP connections that the DUT can maintain at once.

   A: On the Port Manager tab, create 5 MAC-VLANs on the LANforge Port connected to the DUT LAN port.
   B: Verify that the MAC-VLANs have correct IP addresses.
   C: Create a Layer-3 connection that has a low-speed rate with Multi-Conn set to 10000 on Endpoint Side-A. Multi-Conn should be set to 1 on Endpoint Side-B. • Side-A will be one of the MAC-VLANs and Side-B will be the port connected to the DUT WAN port. This setup will initiate the TCP sessions from the LAN side of the DUT. • Low-speed depends on the DUT, we could also set the rate to zero which would allow the TCP connections to be setup without payload data to be transmitted, but this would not give an accurate picture of the firewall performance. Here we are using 1Kbps connections with 1KB size payload. • This is an iterative test, the number of TCP connections to use will depend on the DUT capabilities. Modify the number of connections as necessary to find the most accurate measurement. • The DUT should be power-cycled to reset it before each test run.
   D: Select the Batch-Create button to create 4 more copies of this connection each with a new MAC-VLAN port.
   E: Highlight and Start each set of 10000 connections until the target max simultaneous connections are running.
   F: On the Layer-3 Endpoints tab, highlight the Running A-Side Endpoints, then right-click and select Calculations.
   G: The top line, Sum, is what we are interested in for Maximum Concurrent TCP Connections.
   H: Scroll right to the CX Active and CX Established columns and select the Refresh button. This DUT can maintain a maximum of 41,864 simultaneous TCP connections. • CX Active is the metric we are attempting to measure, Maximum Simultaneous TCP Connections. It will fluctuate with the DUT's ability to maintain the number of active TCP connections. • CX Established is the number of TCP connections LANforge has established since the start of the test. It will continue to increase as the DUT closes the TCP connections it cannot maintain.

4. The TCP Connections per Second test will measure the rate of TCP connections that can be setup through the DUT.

A: Create a Layer-3 TCP connection with the Duration and IP Port set to zero.
B: Highlight and Start the connection.
C: View the Connections/second rate on the Layer-3 Endpoints tab. This DUT can setup about 120 Connections/second.

• For more information, see the LANforge GUI User's Guide
• Return to LANforge-FIRE Cookbook

Further reading on Benchmarking Firewall Performance:
1. RFC 2544 - Benchmarking Methodology for Network Interconnect Devices
1. RFC 2647 - Benchmarking Terminology for Firewall Performance
1. RFC 3511 - Benchmarking Methodology for Firewall Performance