HP-UX IPFilter Version 15.01 Administrator's Guide

E Performance Guidelines
This appendix provides performance guidelines for the use of HP-UX IPFilter.
You must take operating environment limits in to account when you configure HP-UX IPFilter.
HP-UX does not enforce maximum configuration limits to provide flexibility. However, you
must take care not to overburden HP-UX IPFilter systems or unpredictable consequences may
result.
This appendix contains the following sections:
“System Configuration” (page 143)
“Rule Loading” (page 144)
“Rule Configuration” (page 144)
“Traffic” (page 145)
“Performance Monitoring” (page 146)
System Configuration
The following are four suggestions for HP-UX system configuration for optimal performance:
Figure E-1 Processing packets through a system
Table E-1 Processing Packets through a System
Packets to the InternetPackets from the Internet
Packets enter the system5Packets enter the system1
Processed by inbound IPFilter processing6Processed by inbound IPFilter processing2
Processed by outbound IPFilter processing7Processed by outbound IPFilter processing3
Packets leave the system8Packets leave the system4
Packets are processed twice (6 and 7)Packets are processed twice (2 and 3)
1. On an intermediate system, disable the interface on the intranet side. By default, there is
redundant processing for each packet through an intermediate system, as shown in Figure E-1.
By disabling the intranet interface, using ipf -D lan2 in this example, each packet is
processed only once in each direction (2 and 7). Do not disable any interface on an end
system.
2. If your system has multiple CPUs and LAN cards, be sure traffic is divided evenly between
the CPUs. Interrupt migration and PerfView utilities can be used to determine that traffic
is spread evenly between CPUs.
System Configuration 143