FWSM network processors (NP) roles and functionality

Rama Darbha · ‎08-23-2010

The FWSM architecture is heirachical using four different components:
Network Processor 1 (NP1)

Network Processor 2 (NP2)

Network Processor 3 (NP3)

Control Point (CP, PC, CPU)

NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.

NP1 and NP2 are responsible for the following functions:

- Perform per packet session lookup

- Maintain connection table

- Perform NAT/PAT

- TCP checks

- Handle reassembled IP packets (NP2 only)

- TCP sequence number shift for "randomization"

- Syn Cookies

NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions:
- Processes first packet in a flow

- ACL checks

- Translation creation

- Embryonic/establish connection counts

- TCP/UDP checksums

- Per-flow offset calculation for TCP sequence number "randomization"

- TCP intercept

- IP reassembly

NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.

The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:

- Syslogs

- AAA (Radius/TACACS+)

- URL filtering (Websense/N2H2)

- Management traffic (telnet/SSH/HTTPS/SNMP)

- Failover communictions

- Routing protocols

- Most Layer 7 fixups/inspections

For further information on NP utilization, please refer to the following document:

https://supportforums.cisco.com/docs/DOC-12712

golly_wog · ‎08-23-2010

Hello radarbha

Very nice doc, it has got me thinking...

If NP3 is the session mgmt path and processes the 1st packet in the flow, then why does traffic go through NP1 or NP2 and back to NP3? This just seems a bit backwards to me..

Thanks - your posts are amazingly helpful.

Thank you

Rama Darbha · ‎08-24-2010

Golly Wog, thanks for your kind words. The roles of the NPs is always a question that comes up in TAC cases.

To answer your question, this is how the FWSM architecture is designed. Since only NP1 and NP2 have connections to the switch, all inbound packets always hit these two NPs first. Now, depending on what this packet is, it may be forwarded to NP3 and the CP for further processing.

When a packet comes into the FWSM and is initially received by NP1 or NP2, we check to see if it matches an existing connection. If it does not match an existing connection and is a SYN packet, we sent it up to NP3 for the "session creation" functionality. This is how we define the phrase "first packet in the flow".

This packet is sent to NP3 for the ACL check. Once this TCP SYN packet passes the ACL check, NP3 is responsible for creating the connection and pushing it down to NP1 and NP2. This connection is programmed into the NP1 and NP2 hardware so that all subsequent traffic can match this connection to effectively be "fast switched". Now, every subsequent packet matching this flow will only be passed through NP1 or NP2. A packet matches this flow if it matches the "quintuple" which we define as: source IP, destination IP, source port, destination port, protocol.

golly_wog · ‎08-24-2010

Hi radarbha

Thank you for replying.

My next Q is, is there any way to troubleshoot traffic going to the NPs? Similar to an elam trace on a 65k? It's something that I would hope would help me understand the internals of the FWSM.

Many thanks again

Rama Darbha · ‎08-30-2010

Golly Wog,

Currently there is no functionality of features to see the communication between or through the various NPs.

Shobith K · ‎12-09-2010

Great document. Valueble information !!!

just one question. enabling sysopt np completion-unit , will it impact my fwsm. I have around 7 contexts and i am getting lots of out of order packets and slowness while transfering huge files. Can anyone help. Is it recommended.

Thanks,

Shobith

Rama Darbha · ‎12-09-2010

The sysopt np completion-unit is outlined in more detail on these two following links:

https://supportforums.cisco.com/docs/DOC-12668#TCP_Reordering

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/s8.html#wp2759328

Those should answer your questions in greater detail.

Hamilan Gnanabaskaran · ‎04-04-2012

Great information Rama, Can someone help me to understand following also.

1. Can you share how NP1 & 2 shared among multiple context? whether all context share shame NP?

2. Where is Clasifier located?

Thanks.

Rama Darbha · ‎10-16-2012

1. NP1 and NP2 are not virtualized in multiple context mode. Multiple context mode only virtualized the FWSM software environment, not the hardware environment. All the NPs are shared across all contexts based on the traffic processing needs of the context.

2. The classifier is a software based solution that helps the FWSM allocate a packet to the correct context. Here is a document that better explains this:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/contxt_f.html#wp1124172