Forum Discussion
VB_95896
Nov 20, 2008Nimbostratus
Hi,
Thanks a lot for your answer.
Actually, it works without using MAC masquerading addresses. But I might test your scenario with 2 different mac masq @ (the interest being to avoid gratuitous ARP replies and susbequent latencies).
I am more concerned with the risks of an Active-Active configuration.
1) Monitoring of the load seems difficult. It first requires a definition of the MRL{conf} = "Maximum Required Load under a given configuration". MRL{conf} should then be monitored to be ketp under 50%: before any configuration change, one would have to test (computation is never reliable enough...) MRL{new_conf} to make sure it is below 50%. First problem: the test could crash the unit. Second problem :
certain configuration change can't be forecasted : (as far as I understood) an unknown change in a web application could cause the related security policy
to increase its needs. Hence the requirement for a - possibly big - security margin...
2) A test showed that a config sync can produce a high load: in a scenario with 2 HTTP virtual servers, 2 active security policies (one blocking, the other not),
and absolutely no traffic, a config sync took around 15 minutes and consumed up to 80% of CPU0 (a confirmation of your point). Knowing that before the sync,
the single difference between the 2 units was only 1 basic security policy, what one shall expect with more advanced configurations ?
How to interprete this test ? Does it mean that, even in an active-standby configuration, one has to keep the load under 60% of the total CPU (CPU0 + CPU1) ?
More generally, I wish I could answer the following question :
How does the processing power of a Big-IP ASM (PF 4100, VER 9.4.5, HF2) translates in terms of :
- max number of virtual servers/pools/nodes
- max number of active/standby security policies (nb of rollback versions, nb of active attack signatures)
- max number and scope of web applications (objects/parameters)
- ...
Any info is welcome,
Thanks,
VB