It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Best Practice - Performance Tuning on KVM Hypervisors

  • Last updated on

KVM offers several virtualization technologies and settings that can improve the performance of virtual networks and hosts. You can increase the throughput of your virtual Barracuda CloudGen Firewall by improving the virtual machine's performance and optimizing the virtual and physical network infrastructure surrounding your Barracuda CloudGen Firewall Vx.

You can tune the following settings:

Disk I/O

KVM offers very good disk I/O performance. To get the highest possible throughput, use the raw, non-sparse KVM disk image included in the Barracuda Networks KVM image zip file.

Processor Affinities / CPU Pinning

On KVM hosts with NUMA architecture, the Barracuda CloudGen Firewall Vx performance substantially improves by setting processor affinities (CPU pinning). The virtual machine should be pinned to physical cores residing in the same NUMA node so the memory allocations are always local and do not have to use the cross-node memory transports.

On non-NUMA systems explicit placement across the hosts sockets, cores, and hyperthreads may be more efficient.

For example, for a Barracuda CloudGen Firewall with 4 CPU cores running on a KVM host server with two Intel Xeon E5-2660 (6 physical cores per CPU, 12 threads), use CPU cores 2,4,6,8. These cores are all members of the same NUMA node and reside on the same physical socket. This will differ if you are using a different processor model or vendor.

Manual MAC Addresses

Use manually assigned MAC addresses for your virtual network adapters. The license of the Barracuda CloudGen Firewall Vx is bound to the MAC address of the first network interface. If you do not manually assign a MAC address, the KVM hypervisor will generate one for you when first booting the virtual machine. These automatically generated MAC addresses may change if you move the virtual machine to another host, rendering your license invalid. 

SR-IOV and PCI Passthrough

Your CPU and motherboard must support Intel VT-d or AMD I/O Virtualization Technology to enable direct assignment of devices in KVM.

SR-IOV is a virtualization technology that is beneficial for workloads with very high packet rates or very low latency requirements. When using SR-IOV, multiple guest machines can simultaneously and directly access the hardware device on the hypervisor host.

PCI Passthrough enables exclusive direct access to a physical network card for the Barracuda CloudGen Firewall Vx. When compared to SR-IOV, only small performance increases can be gained by using PCI Passthrough.