Yet another place you will encounter the need to be careful about performance is with virtual routers, e.g. the Cisco CSRv, which I happen to like for “real routing in the cloud,” albeit with a performance cap.
The CSRv is formally known as the CSR 1000v, but most people are confused or put off by the “1000v.” That leads them to think it’s somehow tied to the virtual switch, or if they are among the large 1000v-loathing community, turns them off. Could we please call it the CSRv instead – far better branding?
Virtual device performance depends on the hardware, or virtual slice of the hardware, provided to the router virtual machine. Cisco has published specs. Performance varies with Cloud Provider due to the CPU and other capacity they give the CSRv virtual machine.
If the CSRv specs say that CSRv on AWS doesn’t have enough throughput, you might consider scale-out using multiple virtual routers, each handling a portion of the total traffic. This scales to some extent.
Network function virtualization (NFV) is a similar setting; virtual routers (firewalls, etc.) running on a server or multi-purpose platform you own. The Cisco 5000 “Enterprise Network Compute System” is one such platform. Cisco’s marketing makes it fairly clear that you’re trading performance for the flexibility and agility of NFV. Well, agile as long as you have a pool of licenses or rapid way to acquire them to spin up virtual devices with.
One concern with virtual devices is ensuring they get sufficient capacity of shared resources (CPU, RAM, internal bus, NIC I/O). If they’re sharing limited resources with an occasionally performance hogging VM, you may get intermittent performance problems. Fun to troubleshoot! One of life’s trade-offs.
Does it add up?
It also became clear that for routers and firewalls, the numbers don’t add up. I’ll go on to explain that, and no, I’m not accusing vendors of anything. My intent here is to alert readers to something they need to pay attention to.
Let’s pick on the Cisco NGFW 2140 model, although I’ve noticed the same thing with Palo Alto firewalls. The top performance number in the NGFW datasheet is 20 Gbps, but only 8.5 with firewall + AVC. That’s the maximum forwarding throughput.
Coming back to the 2130 and 2140 NGFW’s, they come with “integrated I/O” consisting of “12 x 10M/100M/1GBASE-T Ethernet interfaces (RJ-45), 4 x 10 Gigabit (SFP+) Ethernet interfaces.”
Do the math. The sum of the input wire speeds (ignoring fine details) is 12 + 40 = 52 Gbps. The performance specs mean you’d best not be pumping a full 10 Gbps of firewall + AVC in even one of those interfaces.
What I want to caution about here is assuming that a given router or firewall can do wire speed on all the interfaces the vendor put in the box.
That leaves me wondering, why all the interfaces? My guess is that some people like to physically segment (legacy / strict interpretation of PCI or government requirements?). I personally have been leaning towards “firewall on a stick” trunking to a switch, since it saves having to manually re-cable anything. But that’s a matter of taste, and local security rules. Clear “inside” and “outside” interfaces also work, and are easily understood.
Is there an intent to deceive? I’m not a vendor mind-reader, nor am I about to state an opinion on that topic. Granting the benefit of the doubt, it may just be about customer expectations and adding ports being relatively inexpensive.
Right-sizing your router or firewall
In conclusion, it is advisable to wade through those datasheet performance numbers and apply a grain of salt (or a larger amount of salt), depending on your trust in your vendor’s numbers. If you aren’t comfortable doing that, get some help with it.
I’d also advise documenting what your requirements are, what features you need, and what kind of performance you need. Then, check out the math – not using interfaces that’ll put you over the specified performance.
It might also be wise to run your thoughts by a couple of outside parties, either savvy peers, vendors, and even a savvy consultant. They might catch a math error or a “gotcha” you missed. Better to do so before placing the order than to get it wrong. Most consultants, VAR’s, and Cisco SE’s don’t want you buying the wrong box and then being unhappy with it.
I’ll note NetCraftsmen is a consulting firm that happens to also be a VAR, both for Cisco and other product lines. We try to prioritize services and looking out for the customer’s interests.
This article orginally appeared on the NetCraftsmen blog.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
