2.4.1. Customizing the fast path configuration¶
The fast path is the Turbo IPsec component in charge of packet processing.
By default, the fast path:
- runs on all the logical cores of the machine except the first one, which is reserved for Linux,
- does not take control of any physical ports.
For specific needs, the fast path configuration can be customized through the configuration wizard.
Fast path configuration customization allows to change:
- Fast path capabilities
- Ethernet NICs managed by fast path
- The cores running fast path
- Crypto acceleration
Stopping Turbo IPsec services¶
Before customizing the configuration, login as root (password 6windos) and make sure that Turbo IPsec services are stopped.
# systemctl stop turbo
Using the fast path configuration wizard¶
To customize the fast path using the interactive wizard:
# fast-path.sh config -i Fast path configuration ======================= 1 - Select fast path ports and polling cores 2 - Select a hardware crypto accelerator 3 - Advanced configuration 4 - Advanced plugin configuration 5 - Display configuration S - Save configuration and exit Q - Quit Enter selection [S]:
1 - Select fast path ports and polling cores takes care of the
mandatory fast path configuration, which comprises:
- Core allocation
- The fast path needs dedicated cores that are isolated from other Linux tasks.
- Physical port assignation
- The fast path must have full control over a network port to provide acceleration on this port. At fast path start, a DPVI will replace each Linux interface associated to a fast path port. The new interface has the same name as the old interface. The configuration that was done on the old interface is lost (IP addresses, MTU, routes, etc).
- Core to port mapping
The fast path cores’ main task is to check if packets are available on a port, and process these packets. In most use cases, good performance is obtained with the default configuration: all cores poll all ports of the same socket.
The ports assigned to the fast path using the wizard must also be assigned in the CLI, as described in the configuring the fast path section.
2 - Select a hardware crypto accelerator allows to select
the crypto acceleration type.
- Crypto acceleration selection
By default, the fastest software method is used:
- Intel Multi-Buffer for software crypto acceleration using AES-NI if available
- Or generic software crypto implementation
The following hardware crypto engine may also be activated in the menu:
- Intel Coleto Creek for hardware crypto acceleration using Intel Communications Chipset 895x Series, 8925 or 8926 (Coleto Creek)
3 - Advanced configuration, the following parameters can be
- fast path memory allocation (
The fast path needs dedicated memory. The fast path dedicated memory is allocated in hugepages.
A hugepage is a page that addresses more memory than the usual 4KB. Accessing a hugepage is more efficient than accessing a regular memory page. Its default size is 2MB.
- Mbuf pool preallocation
- The network packets manipulated by the fast path are stored in buffers named
mbufs. A mbuf pool is allocated at fast path start.
S - Save configuration and exit writes the configuration file to
Once the fast path configuration is complete, reboot to take your modifications into account and start Turbo IPsec services: