Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
111112113114115116117118119120
E Performance guidelines
E.1 System configuration
The following are four suggestions for HP-UX system configuration for optimal performance:
Figure 8 Processing packets through a system
Table 4 Processing packets through a system
Packets to the internetPackets from the internet
Packets enter the system5Packets enter the system1
Processed by inbound IPFilter processing6Processed by inbound IPFilter processing2
Processed by outbound IPFilter processing7Processed by outbound IPFilter processing3
Packets leave the system8Packets leave the system4
Packets are processed twice (6 and 7)Packets are processed twice (2 and 3)
1. On an intermediate system, disable the interface on the intranet side. By default, there is
redundant processing for each packet through an intermediate system, as shown in Figure 8
(page 118). By disabling the intranet interface, using ipf -D lan2 in this example, each
packet is processed only once in each direction (2 and 7). Do not disable any interface on
an end system.
2. If your system has multiple CPUs and LAN cards, be sure traffic is divided evenly between the
CPUs. Interrupt migration and PerfView utilities can be used to determine that traffic is spread
evenly between CPUs.
3. Dedicate a CPU to each LAN card, if possible. Avoid configuring one CPU to share an
application and a LAN, especially if the application is data or computationally intensive. Use
the HP-UX Processor Set (PSET) utility to separate applications and LAN processing.
4. If you are configuring an intermediate system, dedicate that system to HP-UX IPFilter. Do not
share the system with other standalone applications.
E.2 Rule loading
When you load a large number of new rules to a ruleset, the system must search existing rulesets
for duplicate rules. This slows down the loading process.
For example, if there is no group rule and there are 5000 rules on the system, the system searches
through all 5000 rules to be sure there is no duplication before adding each new rule.
HP-UX IPFilter searches for duplicate rules by group. To speed the search process when loading
rules, divide the rules into groups. See Section 3.7 (page 27) for information on rule groups. HP
recommends configuring a maximum of 5000 rules per group and 5000 groups per system.
118 Performance guidelines