Performance Tuning

In This Section: Allocation of Processing CPU Cores

Allocation of Processing CPU Cores

The CoreXL software architecture includes the Secure Network Distributor (SND). The SND is responsible for these:

• Processing the incoming traffic from the network interfaces
• Securely accelerating authorized packets (if SecureXL is enabled)
• Distributing non-accelerated packets between the CoreXL Firewall instances.

The association of a particular interface with a specific processing CPU core is called the interface's affinity with that CPU core. This affinity causes the interface's traffic to be directed to that CPU core and the CoreXL SND to run on that CPU core.

The association of a particular CoreXL Firewall instance with a specific CPU core is called the CoreXL Firewall instance's affinity with that CPU core.

The association of a particular user space process with a specific CPU core is called the process's affinity with that CPU core.

The default affinity setting for all interfaces is Automatic. Automatic affinity means that if SecureXL is enabled, the affinity for each interface is reset periodically and balanced between the available CPU cores. If SecureXL is disabled, the default affinities of all interfaces are with one available CPU core. In both cases, all processing CPU cores that run a CoreXL Firewall instance, or defined as the affinity for another user space process, is considered unavailable, and the affinity for interfaces is not set to those CPU cores.

In some cases, which we discuss in the following sections, it may be advisable to change the distribution of CoreXL Firewall instances, the CoreXL SND, and other user space processes, between the processing CPU cores. To do so, you change the affinities of different NICs (interfaces) or user space processes. However, to ensure CoreXL efficiency, traffic from all interfaces must be directed to CPU cores that do not run CoreXL Firewall instances. Therefore, if you change affinities of interfaces or other user space processes, you need to set the number of CoreXL Firewall instances accordingly. You also must make sure that the CoreXL Firewall instances run on other processing CPU cores.

Under normal circumstances, we do not recommend for a CoreXL SND and a CoreXL Firewall instance to share the same CPU core. However, it is necessary for the CoreXL SND and a CoreXL Firewall instance to share a CPU core when Security Gateway runs on a computer with exactly two CPU cores.