[cciesec2006]

I have a question regarding ClusterXL Active/Active in
Unicast mode with 30% on the Pivot node and 70% on the
other node. I have a pair of Sun X4200-M2 dual Opteron,
dual-core with 4GB RAM, runningin ClusterXL Active/Actve
Unicat Mode in NGx R65 2.6 kernel. This cluster is
managed by a CMA inside a Provider-1 NGx R65 with
HFA_02 SPLAT. I have about 200 rules in the security
policy with about 10k objects (network and services),
and that the Iperf rule is at the bottom of the
security policy, just above the clean-up rule.

Everything is connected to a Cisco Catalyst capable
of easily handling 10GB throughput without issues.

I have 6 Dell 2950-III servers outside of the
firewalls, 3 Iperf clients and 3 Iperf servers. I also
have 6 Dell 2850 servers inside the firewall, with 3
Iperf servers and 3 Iperf clients.

When I fired off 3 Iperf clients from outside the firewall
to connect to 3 Iperf servers inside the firewall, I
see that my throughput on the Pivot node is about 980Mbps
receiving and 600Mbps transmitting. That 600Mbps transmitting
is going from the Pivot node over to the other node in
the cluster. I can NOT go above 980Mpbs in Active/Active
Unicast mode.

Therefore I have the following question:

1- In order to go >1Gbps throughput, I have to use
Cluster Active/Active Multicast mode. Because in muticast
mode, there is NO pivot node, the traffics will hit all of the
firewall thus 50% load on each firewall is expected.
Is that correct?

2- In term of throughput alone, there is NO difference
between Active/Active Unicast mode and Active/Standby because
the "pivot" node has to handle the initial connection and then
forward it to the "non" pivot node. Is that correct?


Thanks guys