Effect of filtering on vro Performance

To what extent does a function affect performance? This is a topic that many people are interested in. For testers, they all want to perform similar tests after basic performance tests to provide test reports that are closer to actual use. In previous tests, the testing lab of "Network World" has made many attempts. This article describes a test method for public comparison of low-end routers in the United States, they mainly measure the impact of the data packet filtering function on the router performance.

Vrouters on the market today generally support data packet filtering. The data packet filtering function is generally used for the following work:

Block address fraud on the company's network edge.

Blocks forged routes.

Block harmful applications.

Tracking usage: How many times have a user accessed a certain network? How much bandwidth does an application consume? Most vro filters can be set to answer these questions by recording the number of times the filter is called.

Of course, the user does not apply a router to replace the firewall. However, the tester believes that this data packet filtering function is very important for the router. Therefore, the test focuses on the impact of the data packet filtering function on the performance of the router.

In this test, each manufacturer uses a pair of vrouters connected by two T-1 interfaces of the same model using a cable. Product Configuration (with two T-1 lines and two Ethernet interfaces of the router) can be considered as the most common situation of enterprise router settings.

When determining the impact of the filtering function on the performance of such devices, the tester starts from never enabling the baseline test of the data filtering function), and then adds more and more data packet filtering conditions before testing.

In all tests, the tester connected SmartBits to two Ethernet interfaces on each router and connected the T-1 interface using a WAN crossover cable. In the baseline test, they sent data streams according to the two-way partial mesh structure described in RFC 2889. Measured throughput and average and maximum latency of 60 seconds. They repeat this test using 64, 256, and 1518 bytes of Ethernet frames of UDP/IP packets.

In the test of the filter function, they provided the same data stream as the test on the baseline, but configured the tested router with different data packet filtering rules. The test was repeated with 8, 16, 64, and 256 packet filtering rules. They chose a different number of filters to check whether the routers can check according to the increasing rules. During the test, they selected common filtering conditions, including source and destination IP addresses, protocols, and TCP and UDP port numbers. The tester asked the vendor to set the final packet filtering rule to allow the test data flow to pass, forcing the router to traverse the entire packet filtering table cyclically. The vendor has also enabled the log function, so the tester can learn how many packets "hit" each rule.

According to the test results, the throughput test results of some ASIC-dependent access routers are not much different, but devices using traditional CPU and software architecture will have a big impact.

Compared with the throughput test results, the tester pays more attention to the results of the latency test. The test results do not only show that the performance of products using general CPU and software is degraded after the data packet filtering function is enabled, similarly, the performance of some access routers using ASIC is also affected after the feature is enabled.

The tester believes that latency is a more important indicator than throughput. Low and sustained latency is not only important for voice and video applications, but also for applications that care about response time, such as TCP data streams. Due to TCP requirements for timely data validation, delay may cause re-transmission or session loss. In addition, this test records the average latency and maximum latency of data packets, because for devices, although the latency of most data packets is near the average latency, there are very few data packets with a very large latency, it will also have a great impact on some sensitive applications.

In addition, one interesting thing in this test is that a vendor's product buffer zone is very large. When the throughput is tested, the throughput exceeds the line speed: after the test is stopped, the vro continues forwarding data packets for 17 seconds. This results in the absurd high-latency measurement.