|
|
|
Check which processing CPU cores run the CoreXL Firewall instances and which CPU cores handle the traffic from interfaces. Run:
Allocate the remaining CPU cores to run the CoreXL SNDs. To do so, configure the affinity of interfaces to the applicable CPU cores. For more information, see Allocation of Processing CPU Cores.
Note - To set the affinity of VLAN interfaces, use their physical interfaces.
Configuring affinities of interfaces when SecureXL is enabled
If SecureXL is enabled (this is the default), configure the affinities of interfaces with the SecureXL sim affinity command.
The default SIM Affinity mode for interfaces is Automatic. In the Automatic mode, SecureXL automatically distributes affinities of interfaces between CPU cores, which do not run CoreXL Firewall instances and for which no affinities of user space processes are configured.
Configuring affinities of interfaces when SecureXL is disabled
If SecureXL is disabled, Security Gateway loads affinities of interfaces during the boot from the CoreXL configuration file $FWDIR/conf/fwaffinity.conf. In this configuration file, lines that begin with the letter "i", define the affinities of interfaces. If SecureXL is enabled, Security Gateway ignores these lines.
If you allocate only one CPU core to the CoreXL SND, it is best to have that CPU core selected automatically. To do so, leave the default automatic interface affinity and do not configure explicit affinities of interfaces to CPU cores.
Make sure the $FWDIR/conf/fwaffinity.conf file contains this line:
i default auto |
In addition, make sure that the $FWDIR/conf/fwaffinity.conf file does not contain other lines that begin with "i", so that no explicit affinities of interfaces are defined. This ensures that Security Gateway directs all traffic to the remaining CPU cores.
If you allocate more than one processing CPU core to the CoreXL SND, you need to configure affinities of interfaces explicitly to the remaining CPU cores. If you have multiple interfaces, you need to decide which interfaces to affine to which CPU cores. Try to achieve a balance of expected traffic between the CPU cores. You can later examine the traffic balance with the top command.
To configure affinities of interfaces explicitly, when SecureXL is disabled
$FWDIR/conf/fwaffinity.conf file.For each interface, there must be a separate line that begins with the letter "i". Each of these lines must have this syntax:
i <Name of Interface> <CPU ID> |
For example, if you want the traffic from eth0 and eth1 to go to CPU core #0, and the traffic from eth2 to go to CPU core #1, add these lines:
i eth0 0
i eth1 0
i eth2 1
Alternatively, you can choose to define affinities of interface explicitly for only one processing CPU core, and define other CPU cores as the default affinity for the remaining interfaces. To do so, use this syntax:
i default <CPU ID> |
For example, if you want the traffic from eth2 to go to CPU core #1, and the traffic from all other interfaces to go to CPU core #0, add these lines:
i eth2 1
i default 0
[Expert@MyGW:0]# $FWDIR/scripts/fwaffinity_apply