YUP - That's been my beef for several years now.Hello,
Why Mikrotik does not produce the routers on x86 processors?
Dual-core Skylake can handle 10Gbit/s aes-gcm ipsec tunnel (CCR cannot).
Hey IntrusDave,
Yea I will agree - I may be very flawed.@TomjNorthIdaho Your test method is flawed on multicore systems because BW test works on single core.
CHR is OS for virtual machine.
My question about hardware router in 1U rackmount formfactor
I use virtual machines for everything (VMware ESXi) . Management, maintenance, full-image-backup/full-image-recovery and tuning throughput is so much easier. And a big positive feature is that one physical computer can host many independent/isolated virtual machines with many different operating systems on many different networks at the same time and all virtual machines can share isolated HDD file systems on the same local physical hard disk or network NAS system(s).CHR is OS for virtual machine.
My question about hardware router in 1U rackmount formfactor
as far as i understand mikrotik had take the virtualization path on x86 to avoid dealing with the variety of hardware available on x86 platforms, integrating drivers and certifying hardware working with routeros.
using virtualization that task is taken by hypervisor developer keeping routeros image as light as it has always been
in the near future virtualization features are closing the gap on latency making it perfect for networking implementations
taking this in count i think the virtualization path is the smartest one to board x86 platforms
i would liket to know that too.How fast is a Ryzen processor board compared to a Xeon processor board compared to a CHR for 10-Gig core routing/bridging/FireWall/NAT/Vlan/Simple-Queue functions - a high-throughput busy ISP environment with 1,000 or greater customers? It would be interesting to find out (cost of performance vs flat-out-performance).
North Idaho Tom Jones
i would liket to know that too.How fast is a Ryzen processor board compared to a Xeon processor board compared to a CHR for 10-Gig core routing/bridging/FireWall/NAT/Vlan/Simple-Queue functions - a high-throughput busy ISP environment with 1,000 or greater customers? It would be interesting to find out (cost of performance vs flat-out-performance).
North Idaho Tom Jones
what is the performance of Ryzen processor board with 10G port.
yes you are right. our environment like this: we have over 5,000 users connected our network we are checking every ones ip with our firewall rules. We have E5-2670 and our total cpu usage is 15% when we have over 4K active user connected our network. Our only problem is that we experience 100% cpu load when we get attack by one ip. So we need better cpu performance. Btw, we get spoof attacks with thousands ips but no cpu load then it is strange only one ip saturate all our network.i would liket to know that too.How fast is a Ryzen processor board compared to a Xeon processor board compared to a CHR for 10-Gig core routing/bridging/FireWall/NAT/Vlan/Simple-Queue functions - a high-throughput busy ISP environment with 1,000 or greater customers? It would be interesting to find out (cost of performance vs flat-out-performance).
North Idaho Tom Jones
what is the performance of Ryzen processor board with 10G port.
very hard to know
testing at 10gigagit ethernet speeds is very complicated and require a lot of equipment
plus simulate 1000's customer real behavior makes this more difficult
I think is very difficult to predict the performance because each configuration and scenario is different
Because that mikrotik test equipment using the same configs and scenario to stablish a comparison, then you have to translate that comparison to your specific scenario known results
with x86 hardware the comparison goes beyond cpu and ram configuration, because the system parts selection can lead to bottlenecks making the same cpu ram combination to perform different.
I think the main topic assembling an x86 machine for networking is getting the NICS on the CPU direct pci express lanes to avoid bottlenecks, dont use NICs connected to motherboard chipset oversubscribed and slower pci express lanes
With your environment, a CCR will literally fall over. It simply can not deal with BGP, Firewall Rules, and Traffic in high quantities. High traffic and maybe 100 firewall rules, will be enough to stop the CCR dead in it's tracks. It's definitely not the 'flagship' that MT is making it out to be.We are thinking to buy CCR1072-1G-8S+
Question: With full BGP tables and maybe 100 firewall rules as you describe where a CCR simply can not deal ... Is a CHR on a high end XEON system good enough to do the job in real life with decent throughput with throughput speeds greater than 1-gig ? How well can a CHR handle 10-Gig interfaces with what kind of typical throughputs ?With your environment, a CCR will literally fall over. It simply can not deal with BGP, Firewall Rules, and Traffic in high quantities. High traffic and maybe 100 firewall rules, will be enough to stop the CCR dead in it's tracks. It's definitely not the 'flagship' that MT is making it out to be.We are thinking to buy CCR1072-1G-8S+
After how many thousands of US$, how many failed CCR devices (power suppliers), and how many days, weeks, months of bad performance, we are replacing all our CCRs with CHRs (against our wishes as x86 support is dying).
Arm cores are more power/heat friendly compared to intel CPUs. So something like Snapdragon 8cx would be beefy. But I guess MT does not sell that high numbers. So it is difficult to get a reasonable price ...Mikrotik continues to ignore fast x86, and still releases routers on old slow cores from the past:
CCR2116 (Annapurna Labs Alpine AL73400, based on ARM Cortex-A72 from 2016)
CCR2004 (Annapurna Labs Alpine AL324, based on ARM Cortex-A57 from 2012)
CCR10XX (Tilera TILE-Gx from 2012)
RB5009 (Marvell Armada 7040, based on ARM Cortex-A72 from 2016)
RB4011, RB1100AHx4 (Annapurna Labs Alpine AL21400, based on ARM Cortex-A15 from 2011)
RB3011 (Qualcomm IPQ8064, based on Qualcomm Krait 300 from 2012)
for example RB1100AHx4 can only 530 Mbps with GRE+IPsec tunnel viewtopic.php?t=180597
Throughput >1G is no problem. CCRs does this with ease (Just look at the tables at mikrotik.com). Problem with ROS is Routing Calculation (not routing itself) is done with one core. So one core is at 100% all the time. So your BGP learning speed depends on the performance of one core. Take a XEON with a single core speed >100 times of a CCR you get this done without problems. But take care to get HW/Network adapters which work flawless with CHR. So if you can get a tested system from a vendor you might avoid problems.Question: With full BGP tables and maybe 100 firewall rules as you describe where a CCR simply can not deal ... Is a CHR on a high end XEON system good enough to do the job in real life with decent throughput with throughput speeds greater than 1-gig ? How well can a CHR handle 10-Gig interfaces with what kind of typical throughputs ?
With your environment, a CCR will literally fall over. It simply can not deal with BGP, Firewall Rules, and Traffic in high quantities. High traffic and maybe 100 firewall rules, will be enough to stop the CCR dead in it's tracks. It's definitely not the 'flagship' that MT is making it out to be.
After how many thousands of US$, how many failed CCR devices (power suppliers), and how many days, weeks, months of bad performance, we are replacing all our CCRs with CHRs (against our wishes as x86 support is dying).
North Idaho Tom Jones
x86 also have power-efficient cores:Arm cores are more power/heat friendly compared to intel CPUs.
ARM also has modern fast cores https://www.arm.com/products/silicon-ip ... eoverse-n2Given that the whole pc industry is now starting to pivot to ARM, Mikrotik might have chosen the correct path .
raimondsp ; Re "... route packets at close to 10Gbps ..."CCR2116 supports L3 Hardware Offloading. In some cases, it can route packets at close to 10Gbps speed while keeping the CPU idle.
re: "Passing all traffic through firewall filters" - you do realize that it only offloads fasttracked traffic? If you have a fasttrack rule for all traffic, only the initial packet of each connection needs to be handled by the firewall and everything fasttracked is hardware offloaded (until you hit the connection limit). Obviously bandwidth shaping is a different matter.However , running at close to 10Gbps and passing all the traffic through firewall filters and NATting at that speed and customer bandwidth shaping is very CPU intensive and difficult or impossible to hardware offload.
only if they are modern ARM...But for many ports, power consumption and form factor - ARM and network SoCs beats x86.
CCR2116 supports L3 Hardware Offloading. In some cases, it can route packets at close to 10Gbps speed while keeping the CPU idle.
the improvements in IPSEC performance are from ASIC Hardware Acceleration Built in the SOCSingle-core IPsec tunnels performance on Intel Xeon D-2798NX
even when using CPU (AES-NI), speed reaches almost 30Gbps.the improvements in IPSEC performance are from ASIC Hardware Acceleration Built in the SOC
there is no General Purpose CORE, not ARM, not x86, not MIPS, no POWER PC, capable of this kind of IPSEC performance by their own
even when using CPU (AES-NI), speed reaches almost 30Gbps.the improvements in IPSEC performance are from ASIC Hardware Acceleration Built in the SOC
there is no General Purpose CORE, not ARM, not x86, not MIPS, no POWER PC, capable of this kind of IPSEC performance by their own