[c-nsp] cat6500/fwsm performance
Jeff Bacon
bacon at walleyesoftware.com
Fri Jun 3 13:59:30 EDT 2011
Not quite all, but very helpful nonetheless and a great reference -
something like that should be in the standard "support" section for the
FWSM.
I also found another reference to performance issues in another doc
around the same time that says a lot of useful stuff:
http://www.sectao.com/redirect.php?tid=14079&goto=lastpost
http://isamology.blogspot.com/2010-02/troubleshooting-fwsm-performance.h
tml
Read the docs for a better description, but fundamentally the FWSM is
designed for a high quantity of short, small-term flows (ISP traffic) as
opposed to a few high volume flows, so the whole thing needs to be tuned
somewhat differently.
Summary: enable "sysopt np completion-unit". That took care of all of
the retransmits I had been seeing, and I can now push several hundred
mbit/sec through the firewall with zero retransmits.
There's other useful things to do like disable seq-no rewriting and
such, but most all of that happens in the fast path and I haven't seen
much effect so far.
The latency still sucks, but I'm not sure what step is adding the
latency - I need to look further at my test setup (cat3560s aren't
exactly fast), and I also want to install a DFC on the linecard to see
if having to go through the crossbar is adding latency. (For those who
care, please keep in mind that I'm dealing in a financial application
here, so yes I'm counting microseconds - but we're not a
super-high-freq-shop so we don't pay for utter bleeding edge solutions.
) I've seen the latency get down to about 220usec (both ways) so far,
which isn't bad. that's in transparent mode, direct-attached hosts.
-bacon
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com]
Sent: Friday, June 03, 2011 12:04 AM
To: Jeff Bacon
Cc: Pete Templin; Peter Rathlev; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cat6500/fwsm performance
And here is a great doc TAC wrote up on single flow TCP performance
which should answer all your questions:
https://supportforums.cisco.com/docs/DOC-12668
Sincerely,
David.
More information about the cisco-nsp
mailing list