To avoid possible performance issues, you must manually assign SDPs to the cores, following these basic principles:
- Do not assign SDPs to the cores that are running firewall instances.
- Assign SDPs so they are distributed evenly across the cores on the same socket.
- The Check Point application correctly handles core assignments of firewall instances when you enable CoreXL. Blue Coat recommends that you do not change these settings manually.
Blue Coat recommends enabling four firewall instances on an eight-core APM-8650. When you enable CoreXL, the four cores on socket# 1 are selected to run the firewall instances. You should configure the four cores on socket# 0 to run the SDPs. If your traffic requires heavy firewall inspection, for example, IPS inspection with recommended protection,
Blue Coat recommends that you enable six firewall instances. If you enable six firewall instances, you should configure cores CPU# 2 and 0 on socket# 0 for the SDPs.
To configure SDP core affinities
1. Determine which cores run firewall instances and which do not. To do this, open an rsh session on each VAP and run the following command.
<VAP_group_name>_<index> (test): ~# fw ctl affinity -l -r -v
CPU 0: sdp0 (irq 153)
CPU 1: sdp1 (irq 161)
fw_3
CPU 2: sdp2 (irq 177)
CPU 3: sdp3 (irq 201)
fw_2
CPU 4: sdp4 (irq 169)
CPU 5: sdp5 (irq 185)
fw_1
CPU 6: sdp6 (irq 193)
CPU 7: sdp7 (irq 145)
fw_0
All: eth1 (irq 90) eth0 (irq 98)
mpdaemon fwd cprid cpd
<VAP_group_name>_<index> (test): ~#
This example shows a sub-optimal configuration for four firewall instances. Notice that the cores CPU# 7, 5, 3, and 1 are each shared by a firewall instance and an SDP.
2. Run the following command and set affinities so that the SDPs are evenly distributed across only those cores that do not run firewall instances.
<VAP_group_name>_<index> (test): ~# sim affinity -s
eth1 [All] :
eth0 [All] :
sdp0 [0] : 0
sdp1 [1] : 0
sdp2 [2] : 2
sdp3 [3] : 2
sdp4 [0] : 4
sdp5 [1] : 4
sdp6 [2] : 6
sdp7 [3] : 6
<VAP_group_name>_<index> (test): ~#
3. Verify the configuration by running the following command.
<VAP_group_name>_<index> (test): ~# fw ctl affinity -l -r –v
CPU 0: sdp0 (irq 153) sdp1 (irq 161)
CPU 1: fw_3
CPU 2: sdp2 (irq 177) sdp3 (irq 201)
CPU 3: fw_2
CPU 4: sdp4 (irq 169) sdp5 (irq 185)
CPU 5: fw_1
CPU 6: sdp6 (irq 193) sdp7 (irq 145)
CPU 7: fw_0
All: eth1 (irq 90) eth0 (irq 98)
mpdaemon in.asessiond vpnd in.geod fwd cprid cpd
<VAP_group_name>_<index> (test): ~#
The result is a configuration that prevents an SDP and a firewall instance from sharing the same core. In this example, the configuration assigns the firewall instances to the socket# 1 cores CPU# 7, 5, 3, and 1 and assigns the SDPs to the socket# 0 cores CPU# 6, 4, 2, and 0.
Note:If you have enabled six firewall instances, assign the SDPs only to CPU# 0 and CPU# 2. For example:
<VAP_group_name>_<index> (test): ~# sim affinity -s
eth1 [All] :
eth0 [All] :
sdp0 : 0
sdp1 : 0
sdp2 : 0
sdp3 : 0
sdp4 : 2
sdp5 : 2
sdp6 : 2
sdp7 : 2
<VAP_group_name>_<index> (test): ~#
Verify the affinity settings.
<VAP_group_name>_<index> (test): ~# fw ctl affinity -l -r –v
CPU 0: sdp0 (irq 153) sdp1 (irq 161) sdp2 (irq 177) sdp3 (irq 201)
CPU 1: fw_3
CPU 2: sdp4 (irq 169) sdp5 (irq 185) sdp6 (irq 193) sdp7 (irq 145)
CPU 3: fw_2
CPU 4: fw_5
CPU 5: fw_1
CPU 6: fw_4
CPU 7: fw_0
All: eth1 (irq 90) eth0 (irq 98)
mpdaemon in.asessiond vpnd in.geod fwd cprid cpd
<VAP_group_name>_<index> (test): ~#
This results in a configuration that assigns the firewall instances to CPU# 7, 5, 3, 1, 6, and 4 and assigns the SDPs to CPU# 2 and 0.
Note: If you have a single-processor APM-8650 (four cores: CPU#s 0, 1, 2,and 3),
Blue Coat recommends that you enable three firewall instances. Use the techniques described above to verify that the firewall instances run on the cores CPU# 1, 2, and 3, and then assign all SDPs to run on CPU# 0.
Workaround
N/A