This document describes why a single flow cannot consume the entire rated throughput of a Cisco Unified Threat Defense (UTD)
The result of any bandwidth speed testing website, or the output of any bandwidth measurement tool (for example, iperf) might
not exhibit the advertised throughput rating of a Cisco UTD deployment. Similarly, the transfer of a very large file over
any transport protocol does not demonstrate the advertised throughput rating of a Cisco UTD deployment. It occurs because
the UTD service does not use a single network flow in order to determine its maximum throughput.
Process Traffic by Snort
The underlying detection technology of the UTD service is Snort. A Cisco UTD deployment (router model and UTD resource profile)
is rated for a specific rating based on the total throughput of all flows that goes through the UTD container. It is expected
that the routers with UTD are deployed on a Corporate network, usually near the border edge and works with thousands of connections.
Depending on the UTD resource profile used, UTD uses load balancing of traffic to a number of different Snort processes. Ideally,
the system load balances traffic evenly across all of the Snort processes. Snort needs to be able to provide proper contextual
analysis for Next-Generation Firewall (NGFW), Intrusion Prevention System (IPS) and Advanced Malware Protection (AMP) inspection.
In order to ensure Snort is most effective, all the traffic from a single flow is load balanced to one Snort instance. If
all the traffic from a single flow was not balanced to a single Snort instance, the system could be evaded and the traffic
would spilt in such a way that a Snort rule might be less likely to match or pieces of a file are not contiguous for AMP inspection.
Therefore, the load balancing algorithm is based on the connection information that can uniquely identify a given connection.
Traffic is load balanced to Snort using a 3-tuple algorithm. The datapoints for this algorithm are:
Any traffic with the same source, destination, and VRF are load balanced to the same instance of Snort.
The total throughput of a UTD deployment is measured based on the aggregate throughput of all the Snort instances that work
to their fullest potential. Industry standard practices in order to measure the throughput are for multiple HTTP connections
with various object sizes. For example, the Network Security Services (NSS) NGFW test methodology measures total throughput
of the device with 44k, 21k, 10k, 4.4k, and 1.7k objects. These translate to a range of average packet sizes from around 1k
bytes to 128 bytes because of the other packets involved in the HTTP connection.
Different types of traffic, network protocols, sizes of the packets along with differences in the overall security policy
can all impact the observed throughput of the device.
Third Party Tool Test Result
When you test with any speed testing website, or any bandwidth measurement tool, such as, iperf, one large single stream TCP
flow is generated. This type of large TCP flow is called an Elephant Flow. An Elephant Flow is a single session, relatively
long running network connection that consumes a large or disproportionate amount of bandwidth. This type of flow is assigned
to one Snort instance, therefore the test result displays the throughput of single Snort instance, not the aggregate throughput
rating of the UTD deployment.
Configure a unified security policy so that trusted traffic can be exempted from UTD inspection to avoid any latency during
data transfer. For more information about configuring a unified security policy, see Unified Security Policy.