This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend
‎2025-06-17 05:26 AM

To answer your questions:

1) Automatic interface affinity is not used any more on interfaces that support Multi-Queue.  Prior to the use of Multi-Queue, every 60 seconds or so automatic interface affinity would measure interface utilization, and allocate SND resources to the busiest interfaces.  If there were enough SND cores available, the busiest interfaces would end up with their very own SND core and not have to share it with other interfaces.  Multi-Queue is enabled by default on all interfaces and replaces automatic interface affinity, and also allows multiple SND cores to service a busy interface.

The Dynamic Dispatcher is implemented on the SND Cores, but it is not directly related to automatic interface affinity or Multi-Queue.  The Dynamic Dispatcher monitors the load of the Firewall Worker Instances and directs new connections (and all their subsequent packets) to the least-busy worker core.  

2) The job of the Dynamic Dispatcher is to keep the Firewall Worker Cores evenly balanced (and it does consider the existing load on the Firewall Worker Cores to do this), while Multi-Queue attempts to keep the load balanced among the SND cores by balancing traffic loads.  I'm not sure if Multi-Queue really considers SND CPU load in its balancing of traffic; it is just trying to keep the raw traffic load balanced among the SND cores to my knowledge.

3) You're conflating the Dynamic Dispatcher and Multi-Queue with this question, they are functions both implemented by the SND cores but serve very different functions.  (Firewall Worker Core balancing vs. SND Core balancing)

4) Interfaces are not affined directly to the Firewall Worker Cores, interfaces are handled/affined by Multi-Queue by the SND cores.  If Dynamic Balancing/Split is in use, an interface that was being serviced by an SND core could suddenly not be if that core is reassigned to be a new Firewall Worker Instance.  The remaining SND cores will pick up the slack for that interface in that instance. 

In a static split scenario the number of SND cores cannot change, and each interface's load is distributed among all available SND cores by Multi-Queue, subject to the queue limits of some driver and NIC hardware.  For example the igb I211 NIC only supports a maximum two queues, so even if there are 8 SND Cores available only 2 of them can service that I211 interface at any one time.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(2)
Who rated this post