Abstract

Nortel Networks, Inc. commissioned The Tolly Group to evaluate its Contivity 2600, which is designed to serve large branch offices or data centers that support up to 1,000 VPN tunnels. Tolly Group engineers subjected the Contivity 2600 to a battery of tests to determine the switch's single-rule firewall and IPSec gateway bidirectional zero-loss performance, as well as to benchmark switch performance when both services are contending for bandwidth.

Nortel’s Contivity 2600 is positioned as a mid-range VPN switch for large branch offices and data centers that need both stateful firewall inspection and IPSec encryption without collapsing network throughput. In Tolly Group testing, the platform was evaluated in three modes: standalone firewall, standalone IPSec gateway, and a combined multi-service configuration where firewall and VPN traffic competed for bandwidth on the same device.  

In firewall mode, the Contivity 2600 delivered strong zero-loss bidirectional throughput over full-duplex Fast Ethernet. In a single port-pair configuration, it reached 198Mbit/s with 1,024-, 1,450-, and 1,518-byte frames, equal to 99% of theoretical maximum for those frame sizes. In a dual port-pair test with higher port density, the device achieved 316Mbit/s with 1,518-byte frames at zero loss. These results indicate that the platform can sustain substantial firewall throughput for enterprise traffic loads while maintaining full stateful inspection.  

As an IPSec gateway using 3DES and SHA-1, the Contivity 2600 also showed a significant benefit from hardware acceleration. Without the accelerator card, throughput ranged from about 30Mbit/s to 34Mbit/s for 1,024-, 1,450-, and 1,518-byte frames. With the accelerator installed, throughput increased to roughly 100Mbit/s to 112Mbit/s for those same frame sizes, more than a 300% improvement. Tolly notes that IPSec adds roughly 50 bytes of encapsulation overhead, pushing larger packets beyond the standard 1,518-byte Ethernet frame size and requiring fragmentation, yet the Contivity 2600 maintained high throughput even under those conditions.  

The report also emphasizes the system’s ability to handle mixed workloads. With the VPN accelerator enabled and background IPSec traffic set to 20% of its baseline VPN load, the Contivity 2600 still delivered 194Mbit/s of firewall throughput. Even when VPN load was raised to 80% of baseline, firewall throughput remained 157Mbit/s. Overall, Tolly presents the Contivity 2600 as a hardware-based security platform that can combine encrypted VPN transport and firewall enforcement while preserving the throughput needed for enterprise and metropolitan-area network deployments.