ClusterXL Active/Active multicast and Unicast mode

[cciesec2006]

I have a question regarding ClusterXL Active/Active in
Unicast mode with 30% on the Pivot node and 70% on the
other node. I have a pair of Sun X4200-M2 dual Opteron,
dual-core with 4GB RAM, runningin ClusterXL Active/Actve
Unicat Mode in NGx R65 2.6 kernel. This cluster is
managed by a CMA inside a Provider-1 NGx R65 with
HFA_02 SPLAT. I have about 200 rules in the security
policy with about 10k objects (network and services),
and that the Iperf rule is at the bottom of the
security policy, just above the clean-up rule.

Everything is connected to a Cisco Catalyst capable
of easily handling 10GB throughput without issues.

I have 6 Dell 2950-III servers outside of the
firewalls, 3 Iperf clients and 3 Iperf servers. I also
have 6 Dell 2850 servers inside the firewall, with 3
Iperf servers and 3 Iperf clients.

When I fired off 3 Iperf clients from outside the firewall
to connect to 3 Iperf servers inside the firewall, I
see that my throughput on the Pivot node is about 980Mbps
receiving and 600Mbps transmitting. That 600Mbps transmitting
is going from the Pivot node over to the other node in
the cluster. I can NOT go above 980Mpbs in Active/Active
Unicast mode.

Therefore I have the following question:

1- In order to go >1Gbps throughput, I have to use
Cluster Active/Active Multicast mode. Because in muticast
mode, there is NO pivot node, the traffics will hit all of the
firewall thus 50% load on each firewall is expected.
Is that correct?

2- In term of throughput alone, there is NO difference
between Active/Active Unicast mode and Active/Standby because
the "pivot" node has to handle the initial connection and then
forward it to the "non" pivot node. Is that correct?


Thanks guys

[chillyjim]

Please note the following is my simplistic understanding/translation from Developer (Smart guy) to SE (Not so smart me)...

Active/Active mode is not designed to get you better network throughput, it is designed to gain performance in a (FW's) CPU intensive environment.

With a 1 Gbps connection, you will not see better than a 1 Gbps (less overhead, etc) even in multicast mode (as all packets go to all members). Multicast is a little more effecent from a failover & packet processing standpoint than unicast but that's it.

If you want higher bandwidth, then you need higher speed links. If you do increase your link speed, say with 10Gps interfaces, remember to also increase the speed of the sync network, or at least tweak the sync delay and the like or you will saturate the sync network (This leading to the "Why am I only getting 12% of my bandwidth when using HTTP!?!? questions).

[cciesec2006]

Thank you Jim.