This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henrik_Noerr1
Advisor
‎2024-03-22 06:49 AM

Nvidia ConnectX 100G SmartNIC

Hi,

The new datasheets for 19xxx and 29xxx mention that the 100g NICs "enable firewall traffic
acceleration at line-rate."

What does this mean specifically? Check Point acceleration methods often come with all kinds of caveats.

Specifically we are looking for solving elephant flows for backup and restores (single high throughput connections.)

VSX support is a requirement and no inspection as such needed.

 

I saw the nvidia logo at CPX for the 40/100g NICs, I guess it is the same NICs as for QLS appliances? Would these be more suited for my needs?

 

Regards,

Henrik

0 Kudos
5 Replies
Bob_Zimmerman
Authority
Authority
‎2024-03-22 07:34 AM

Mellanox/Nvidia ConnectX cards can forward packets from one port to another port on the same card in the Ethernet interface chip with no need to involve the host. This is like the old Nokia Accelerated Data Path cards, or Alteon Switched Firewalls. They're essentially SecureXL in hardware with limitations on just how accelerated a flow can be based on its physical path.

If all you need is the acceleration and you don't need the gross performance, I would go for a QLS. The QLS250 lists for under 1/3 the price of a 19100 (for a unit with both SSDs, the LOM, and 3/4 as much RAM as the QLS250) plus the non-default 2x100g card (CPAC-2-40/100F-D:).

 

ADMIN NOTE: price information removed

0 Kudos
Henrik_Noerr1
Advisor
‎2024-03-22 12:24 PM
In response to Bob_Zimmerman

Hey Bob,

thanks for the input. Same NIC line rate makes sense, and should be kept top of mind.  I wonder if bonding introduces some complications? It will be on vlan sub interfaces and or vswitches. 

Without looking at the datasheet at this moment, another thing that could come into play is the number of maximum 100g bundles available. 

thanks 

Henrik

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-22 01:44 PM
In response to Henrik_Noerr1

Bonding the two interfaces on one card is unlikely to be an issue. After all, bonding doesn't split the frame across multiple links. A frame still comes in exactly one link and leaves exactly one link. If the link it comes in and the link it leaves are on the same card, it's likely to be able to forward it with no host involvement.

Bonding a ConnextX interface on one card with a ConnectX interface on another card would probably break the accelerated data path. It's possible to skip transmit link selection and just select the link the same card has access to, but that could get thorny if your bonds don't overlap precisely (e.g, if bond1 is eth1-02 and eth2-01, and bond2 is eth2-02 and eth3-01). Simpler to just disable the accelerated forwarding rather than risk unpredictable flow paths.

All that said, with 100g, I would just skip bonding entirely. It's fast enough you almost certainly don't need a bond for the throughput, and there are enough questions I would simply take my availability design to a higher level to avoid them.

 

As for the number of interfaces available:

  • QLS250 - 1 double-width 2x100g card 
  • QLS450 - 2 double-width 2x100g cards
  • QLS650 - 3 double-width 2x100g cards
  • QLS800 - 4 double-width 2x100g cards
  • 19100 with 4 single-width 2x100g cards

All the QLS boxes come with redundant SSDs, LOM, maxed RAM, and 5 VS license slots. The 19100 comes with only one SSD (SSDs are reliable enough this doesn't concern me much), no LOM, no VS license slots, and 1/3 as much RAM (64 GB) as the QLS450, QLS650, or QLS800 (all 192 GB). If you need full inspection, the 19200 and 29000-series have a higher performance ceiling than the QLS boxes.

 

ADMIN NOTE: price information removed

0 Kudos
Henrik_Noerr1
Advisor
‎2024-03-22 03:18 PM
In response to Bob_Zimmerman

Hey,

Yeah, I agree with you that bonding could be skipped. We are however a very siloed organization - hence bonding for facilitating switch upgrades could be a requirement - but maybe we can find some common ground - cost is always relevant.

I have just asked our CP Sales guy for pricing since NSP and non-NSP is very different - I do not understand the difference.

Thanks for your input.

/Henrik

0 Kudos
_Val_
Admin
Admin
‎2024-03-25 01:33 AM
In response to Henrik_Noerr1

NSP means "Non Standard Price", which is, in other words, a very special discount.

Anyhow, I have to remind all participants of this thread that we do not discuss the prices here. You should always do that with your partner or a local Check Point representative. The pricelist is not a public resource. Thanks for your understanding.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events