Performance

Intro

Performance data is always a key criteria for selection of network solutions. But performance data is easily misconstrued, making vendor comparisons challenging, if not impossible. While Netgate is not in a position to vet other vendors' claims, we try to be 100% transparent with our performance test results. Packet traffic conditions, hardware vintage, software release, and test methodology can independently affect test results let alone en masse. So, we invite readers to remember the following when viewing TNSR® software test data:

  • Not all packets are created equal
  • Not all CPUs are created equal
  • The packet processing “tax” on the CPU varies dramatically by application
  • Flow type (unidirectional vs. bidirectional) yields different results
  • The level of encryption and availability of hardware assist matters
  • Software-based packet processing technology is evolving rapidly
  • Performance evolves with product software releases

Last, it should be understood that these numbers were generated in a controlled test laboratory and, therefore, cannot be guaranteed for "in the wild" environments.

 

Out test results are packaged and shared as follows:

  • Non-encrypted traffic performance for TNSR running on commercial off-the-shelf (COTS) hardware (see below)
  • Encrypted traffic performance for TNSR running on commercial off-the-shelf (COTS) hardware (see below)
  • Performance data for Netgate appliances running TNSR is located here

 

Non-Encrypted Traffic Test Setup

Using a Dell R730 server, performance tests were run on three different platform configurations:

    • Bare Metal Integration (BMI)
    • KVM
    • VMware

Exact test specifications are shown here:

Software Release TNSR 20.02.2-2
Platforms - Bare Metal Integration (BMI)
- KVM
- VMware
Hardware Dell R730 Server
- (2) 8-Core Intel E5-2620v4 2.1 Ghz
- 512 Gb DDR4 - 2133Mhz
- (2) Mellanox  Connect X-5 EN NIC Cards

 

 

 

 

 

 

Non-Encrypted Traffic Test Results

Throughput results for L3 Forwarding, Firewall (forwarding with 10k ACLs), and Forwarding with 1:1 NAT are shown for each platform below:

    IPERF3 TRAFFIC 1 IMIX TRAFFIC 2

PLATFORM: Bare Metal 
Worker Cores: 12 3   

L3 Forwarding  162.57 Gbps
13.92 Mpps
137.82 Gbps
47.26 Mpps
Firewall  162.02 Gbps
13.87 Mpps
59.73 Gbps
20.48 Mpps
NAT  147.66 Gbps
12.64 Mpps
25.67 Gbps
8.80 Mpp
PLATFORM: KVM 
SR-IOV  
Worker Cores: 12 3  
L3 Forwarding  167.24 Gbps
14.32 Mpps
119.66 Gbps
41.04 Mpps
Firewall 165.39 Gbps
14.16 Mpps
64.69 Gbps
18.76 Mpps
NAT  144.44 Gbps
12.37 Mpps
23.34 Gbps
8.01 Mpps
PLATFORM: VMware
SR-IOV  
Worker Cores: 10 3  
L3 Forwarding  168.55 Gbps
14.30 Mpps
113.28 Gbps
38.85 Mpps
Firewall  164.95 Gbps
14.12 Mpps
47.53 Gbps
16.30 Mpps
NAT  132.50 Gbps
11.34 Mpps
23.40 Gbps
8.03 Mpps

1 iPerf3 measures the maximum throughput using 1460 byte payloads and TCP framing.
2 IMIX (Internet Mix) simulates typical Internet traffic with sets of 7 (40) byte packets, (4) 576 byte packets, 1 (1500) byte packets, plus Ethernet framing overhead. When measuring equipment performance using an IMIX of packets the performance is assumed to resemble what can be seen in "real-world" conditions.
3 a Worker is a CPU core assigned to packet processing operations

 

 

Encrypted Traffic (IPsec) Test Setup

Using a Dell R730 server, IPsec VPN tests were performed using a single CPU core with five different types of traffic - using both AES-GCM-128 with CPU-integrated AES-NI, as well as AES-GCM-128 with Quick Assist Technology (QAT).

Exact test specifications are shown here:

Software Release TNSR 19.02
Platform Bare Metal Integration (BMI)
Hardware Dell R730 Server
- Single Socket
- Intel Xeon Gold 6130 CPU @ 2.10Ghz with integrated AES-NI1
  (fam: 06, model: 55, stepping: 04)
- (1) Mellanox ConnectX-5 NIC Card
- (1) Netgate CPIC-8955 Cryptographic Accelerator Card with QuickAssist Technology (QAT)2

 

 

 

 

 

 

 

Encrypted Traffic (IPsec) Test Results

    IPsec IPsec
Size Flow Type Single CPU Core
AES-GCM-128

AES-NI
Single CPU Core
AES-GCM-128

QAT
64 Unidirectional 1.71 Gbps
3.33 Mpps
1.92 Gbps
3.75 Mpps
Bidirectional 1.36 Gbps
2.65 Mpps
1.85 Gbps
3.61 Mpps
256 Unidirectional 4.96 Gbps
2.42 Mpps
6.9 Gbps
3.37 Mpps
Bidirectional 4.84 Gbps
2.36 Mpps
6.38 Gbps
3.11 Mpps
512 Unidirectional 7.88 Gbps
1.92 Mpps
14.07 Gbps
3.43 Mpps
Bidirectional 7.44 Gbps
1.82 Mpps
13.67 Gbps
3.34 Mpps
1500 Unidirectional 12.69 Gbps
1.05 Mpps
33.08 Gbps
2.75 Mpps
Bidirectional 12.66 Gbps
1.05 Mpps
32.74 Gbps
2.37 Mpps
IMIX Unidirectional 6.24 Gbps
2.17 Mpps
9.22 Gbps
3.2 Mpps
Bidirectional 6.14 Gbps
2.13 Mpps
8.86 Gbps
3.07 Mpps

1AES-NI instruction set extensions are used to optimize encryption and decryption algorithms.
2 Intel® QuickAssist Technology (Intel® QAT) accelerates and compresses cryptographic workloads by offloading the data to hardware capable of optimizing those functions.

 

Stay up to date

There’s always something new with open-source, secure networking and TNSR software. Keep up with us by visiting our blog, social communities and newsletter.

Netgate
Blog

Get a view into how open source is disrupting secure networking and changing the technology landscape.

Netgate Blog

Netgate Newsletter

Discover the latest announcements, product information, and industry news with our monthly newsletter.

 

Netgate Newsletter

Social Communities

Twitter Circle Logo LinkedIn circle logo Reddit Circle Logo Facebook circle logo instagram circle logo