BW Warranty by CP

Matlu

Hello everyone.

Is there any way to 'guarantee' that your FW CP is not responsible for 'rate limiting' on network traffic?

I have a scenario something like this:

PC --- SWL3 --- FW CP --- MPLS Router

Between the FW CP and the connections to SWL3 and the Router, we have Bond interfaces (2 ports of 10GB, which added logically we would have 20GB)

So, by CLI maybe, is there a way to guarantee that the traffic for example to download a heavy file (+12GB) that is beyond the MPLS Router, the FW is not limiting the download speed?

How could we check or defend the FW against accusations of slowness when they try to download files from the PC and perceive this data flow as slow?

Thanks for your comments.

the_rock

You can limit the rate in the rule itself. If you right click under action, then more and choose limit.

Andy

Matlu

Hey bro.
I don't want to limit the BW of the Bond, on the contrary, what I want is that there is no restriction of consumption and to be able to demonstrate that the CP is not limiting the traffic.
Cheers

the_rock

K, gotcha! In that case, no need to modify what I mentioned in the rule, but Im pretty sure CP would not be limiting anything like that by default.

Andy

G_W_Albrecht

It does - as i wrote above, one connection gets its share, but usually, any single connection will not use full bandwidth, only multiple connections will. Got only a bit different nowadays...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

Do you use the QoS blade ? If not, nothing should be limiting the traffic on purpose - but surely, your 20GB are distributed to the current connections, making sure that one connection does not take all ressources. So it can be that only adding up some connections give you the 20GB throughput.

Second issue is TP (AV, IPS, AM, TE, TX...) that will slow down traffic it has to inspect; this is trade off between security and speed, as always.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Bob_Zimmerman

Note that most bond modes (active/backup, xor, and all modes of 802.3ad/LACP) will only send traffic for one connection down one link. The max possible throughput for a single connection is then the throughput of a single interface, not of the whole bond.

You can only reliably test if a firewall is the limit on a given connection's throughput while the connection is live. Check cpview.cpu.top-connections and cpview.cpu.spikes.

If the firewall is the limit, either Threat Prevention or HTTPS Inspection is usually the reason. Add exceptions.

Matlu

Hello,

Does it mean that despite having a bond (LACP) where logically we would have 20GB of BW, really for a particular connection, I will only consume 10GB?

When the PC tries to download a file that “weighs” more than 11GB, does it mean that this data flow will really use only one interface of the bond, and only 10GB of BW will be available?

Is this the logic?

Is it possible to see at CLI level, some command that indicates us, how much “allows” an interface in terms of BW?

Bob_Zimmerman

@Matlu wrote:

Hello,

Does it mean that despite having a bond (LACP) where logically we would have 20GB of BW, really for a particular connection, I will only consume 10GB?

When the PC tries to download a file that “weighs” more than 11GB, does it mean that this data flow will really use only one interface of the bond, and only 10GB of BW will be available?

Is this the logic?

Exactly. In most bond modes, a single connection can only use one interface. Multiple connections can use the full potential performance of the bond. A single Ethernet frame can only be sent in whole, so all of the bond modes have a strategy for picking which link should be used to send it. Active/backup sends all frames on one link until that link goes down, so you only get the throughput of one link. XOR picks a link based on either the destination MAC or the destination IP+port, so all frames to a given destination on a given port will always use the same link. 802.3ad/LACP does some additional link state monitoring, but picks the transmit link in the same way XOR does, so all frames to a given destination on a given port will always use the same link.

Round-robin can allow a single connection to use all the available throughput. You don't always get optimal balancing (sometimes you're sending smaller frames for other connections, after all), so it's best to assume each additional interface will give you an extra 50% of its throughput at most. That is, two 10g interfaces in a round-robin bond should let one connection reliably use 15g of throughput. Three should let one connection get 20g.

Is it possible to see at CLI level, some command that indicates us, how much “allows” an interface in terms of BW?

'ethtool <interface>' for one of the bond members will tell you the current speed of that interface. Repeat for all interfaces in the bond (they are almost always the same, but it's easy to check to be sure), and the lowest value is the maximum throughput you can expect for any single connection.

Are you a member of CheckMates?

BW Warranty by CP