How to make VSX go fast

Got this from a little bird, so can’t take credit.

Use case was datacenter pushing 24Gb through a VSX chassis.

Can it do it?

I was told they got 22Gb on a 21700 through a single VS using this configuration:

  1. 21700/21400 has 3 PCIe bus’s on it. Each PCIex16 bus supposedly handles 16Gb in 1 direction.
    21400
    21k
  2. Config
    R77.10 – firewall blade only

    4 port 10Gb bond with two ports used on 10Gb line card one and two ports used on 10Gb line card two. Have to separate on two different PCIe buses so don’t overload single PCIe bus.

    VSLS Cluster (2 members) with 6 virtual systems created

    Layer 3+4 bond distribution algorithm

    Only one VS used to pass firewall traffic

    Single firewall rule – ANY-ANY-ANY-Accept –Log

    CoreXL enabled and set for 2 instances for the VS under test

    Hyperthreading not enabled

     

  3. MultiQ enabled and set for 12 RX queues (apply to both members). NOTE: MultiQ only works on receive and not transmit.

    cpmq set rx_num ixgbe 12

  4. fw ctl affinity -s -d -fwkall 4 
  5. cpmq reconfigure 
  6. Reboot 21700

    Follow these steps on both 21700VS cluster members

    1.            Create the $PPKDIR/boot/modules/simkern.conf file:

     

    [Expert@HostName]# touch $PPKDIR/boot/modules/simkern.conf

     

    Note: If this file already exists, then there will be no impact from ‘touch’ command.

    2.            Enable SecureXL parameter ‘sim_requeue_enabled’:

     

    [Expert@HostName]# echo ‘sim_requeue_enabled=1’ >> $PPKDIR/boot/modules/simkern.conf

    3.            Check that SecureXL parameter was added:

     

    [Expert@HostName]# cat $PPKDIR/boot/modules/simkern.conf

    4.            Reboot the machine to apply the changes.

     

     

    Run test from appliance idle state.  Between tests, please run:

     

    fwaccel off

    fw tab –t connections –x –y

    fwaccel on

     

    This will clear the connection table and avoid out-of-state errors in future tests.

     
     

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • JakeTheSnake  On May 25, 2014 at 12:03 pm

    This is soooo sweet! Will have to try it out… and think about who to apply this to first. Thanks!

  • Bob Mog  On August 28, 2014 at 4:55 pm

    one virtual system passing traffic and firewall blade only. Was this a customer deployment or just for testing ?

    Turn IPS on with some real world traffic and start crying.

  • Jobi Joba  On July 24, 2017 at 5:16 am

    Can you explain why you chose not to enable HyperThreading ? (real question) I’m used to enabling it on any installation so I’d like to know if I make a mistake or not. Thanks.

    • Dreezman  On July 24, 2017 at 7:24 am

      Oh god this was years ago. If I remember right hyperthreading only boost IPS/data analysis performance. I can’t remember why, sorry.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: