How to make VSX go fast

Got this from a little bird, so can’t take credit.

Use case was datacenter pushing 24Gb through a VSX chassis.

Can it do it?

I was told they got 22Gb on a 21700 through a single VS using this configuration:

  1. 21700/21400 has 3 PCIe bus’s on it. Each PCIex16 bus supposedly handles 16Gb in 1 direction.
  2. Config
    R77.10 – firewall blade only

    4 port 10Gb bond with two ports used on 10Gb line card one and two ports used on 10Gb line card two. Have to separate on two different PCIe buses so don’t overload single PCIe bus.

    VSLS Cluster (2 members) with 6 virtual systems created

    Layer 3+4 bond distribution algorithm

    Only one VS used to pass firewall traffic

    Single firewall rule – ANY-ANY-ANY-Accept –Log

    CoreXL enabled and set for 2 instances for the VS under test

    Hyperthreading not enabled


  3. MultiQ enabled and set for 12 RX queues (apply to both members). NOTE: MultiQ only works on receive and not transmit.

    cpmq set rx_num ixgbe 12

  4. fw ctl affinity -s -d -fwkall 4 
  5. cpmq reconfigure 
  6. Reboot 21700

    Follow these steps on both 21700VS cluster members

    1.            Create the $PPKDIR/boot/modules/simkern.conf file:


    [Expert@HostName]# touch $PPKDIR/boot/modules/simkern.conf


    Note: If this file already exists, then there will be no impact from ‘touch’ command.

    2.            Enable SecureXL parameter ‘sim_requeue_enabled’:


    [Expert@HostName]# echo ‘sim_requeue_enabled=1’ >> $PPKDIR/boot/modules/simkern.conf

    3.            Check that SecureXL parameter was added:


    [Expert@HostName]# cat $PPKDIR/boot/modules/simkern.conf

    4.            Reboot the machine to apply the changes.



    Run test from appliance idle state.  Between tests, please run:


    fwaccel off

    fw tab –t connections –x –y

    fwaccel on


    This will clear the connection table and avoid out-of-state errors in future tests.


Post a comment or leave a trackback: Trackback URL.


  • JakeTheSnake  On May 25, 2014 at 12:03 pm

    This is soooo sweet! Will have to try it out… and think about who to apply this to first. Thanks!

  • Bob Mog  On August 28, 2014 at 4:55 pm

    one virtual system passing traffic and firewall blade only. Was this a customer deployment or just for testing ?

    Turn IPS on with some real world traffic and start crying.

  • Jobi Joba  On July 24, 2017 at 5:16 am

    Can you explain why you chose not to enable HyperThreading ? (real question) I’m used to enabling it on any installation so I’d like to know if I make a mistake or not. Thanks.

    • Dreezman  On July 24, 2017 at 7:24 am

      Oh god this was years ago. If I remember right hyperthreading only boost IPS/data analysis performance. I can’t remember why, sorry.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.

%d bloggers like this: