Routers on the market today generally support the filtering function of data packets. The filtering function of data packets is generally used to do the following tasks:
● Block address fraud on the edge of the corporate network.
● Block forged routing.
● Block harmful applications.
● Track usage: How many times does a user visit a network? How much bandwidth does an application consume? The filters of most routers can be set to answer these questions using the number of times the filter is called.
Of course, users do not use routers instead of firewalls. However, the tester believes that this packet filtering function is very important to the router, so the focus in the test is on the impact of the packet filtering function on the router's performance.
In this test, each manufacturer uses a pair of routers of the same model connected by two T-1 interfaces using adapter cables. Product configuration (router equipped with two T-1 lines and two Ethernet interfaces) can be considered the most common situation in enterprise router settings.
When determining the performance impact of the filtering function on such devices, the tester first starts by not turning on the data filtering function (baseline test), and then increases the number of data packet filtering conditions and then conducts testing.
In all test cases, the tester connected SmartBits to two Ethernet interfaces on each router and connected the T-1 interface using a WAN crossover cable. In baseline tests, they configured the SmartBits configuration to send data streams according to the bidirectional partial mesh structure described in RFC 2889. Throughput of 60 seconds and average and maximum delay were measured. They repeated this test with 64, 256 and 1518 byte-length Ethernet frames of UDP/IP packets.
In the filtering function test, they provide the same data stream as in the baseline test, but configure the tested router with different number of packet filtering rules. This test was repeated using 8, 16, 64 and 256 packet filtering rules, respectively. They chose different numbers of filters to see if the router can check according to the increasing rules. In the test, they selected common filtering conditions, including source and destination IP addresses, protocols, and TCP and UDP port numbers. The tester asked the manufacturer to set the last packet filtering rule to a rule that allows the test data flow to pass, forcing the router to loop through the entire packet filtering table. The manufacturer also enables logging, so the tester can understand how many packets are "hit" each rule.
Judging from the test results, the throughput test results of some access routers that rely on ASIC are not much different, but devices using traditional CPUs and software architectures will have a relatively large impact.
Compared with the test results of throughput, testers value the results of delay tests. The test results not only prove that the performance of products using general-purpose CPU and software declines after turning on the packet filtering function. Similarly, the performance of some access routers using ASICs is also affected after turning on the function.
Testers believe that latency is a more important indicator than throughput. Low and continuous delays are also critical not only for voice and video applications but also for applications that care about response time, such as TCP data flow. Because TCP requires timely data acknowledgment, delays can lead to retransmission or session loss. In addition, this test records two values: average delay and maximum delay of data packets, because for the device, although the delay of most packets is near the average delay, a very small number of packets with very large delays will also have a great impact on some sensitive applications.
In addition, a very interesting thing in this test is that a certain manufacturer's product buffer is very large. When the test throughput is tested, the throughput exceeds the linear speed: after the test is stopped, the router continues to forward the packet for 17 seconds. This creates absurd high-delay measurements.
Article entry: csh Editor in charge: csh