IDSM-2 Throughput

Similar Messages

• IDSM-2 Throughput in Bypass Mode?

  HI,i cisco documentation idsm-2 has 500Mbps throughput in inline mode and 600Mbps throughput in passive.so suppose that our idam-2 is in inline mode,then if we put our idsm-2 in Bypass mode,how much traffic idsm-2 can handle without any inspection?(throughput?)
  thanks.

  The IDSM-2 would only be supported at the same 500Mbps for both inspection and ByPass mode.
  There is not a separate rating for ByPass mode.
  With that said, the IDSM-2 will do much higher than 500Mbps while in ByPass mode (assuming nothing else happening on the sensor).
  But I am not sure how much more since we don't generally test performance while in ByPass mode.
  You would not want to plan your network on the ByPass performance capability.
  The other reason is that when the sensor goes into ByPass there be something else going on in the sensor.
  In the case of a Signature Update there will be signature processing consuming much of the CPU and memory so ByPass will not perform at its top performance.

• IDSM-2 load sharing across two chassis

  We are currently putting together a solution that I have come in halfway through just after some assistance in regards to setting up the IDS. We have 2 * 6509 chassis, 2 * IDSM-2 modules.
  Scenario 1 - Both IDSM-2 Modules in primary chassis, can load balance traffic to IDS. Primary Chassis failure = no ids.
  Scenario 2 - IDSM-2 Module in each chassis, active/standby scenario. Can basically only use one IDSM modules throughput. Chassis failure still have IDS.
  At the moment I am leaning towards the first scenario and no IDS if we have a chassis failure. Just wondering if it's possible to load balance in scenario 2.

  Hi,
  I guess it depends on your topology. If your 6509 switches are used as layer 3 switches using HSRP then even if only one 6509 is used as HSRP active for all VLANs and you have two IDSMs in there, you will miss all the traffic that is going through your HSRP standby chassis. For example, outbound traffic of a VLAN may be seen by HSRP Primary's IDSMs, but return traffic could be comming in both directions (HSRP Primary and Secondary 6509s). If you have one IDSM on each 6509s, then you are already using both of them. Please note that IDSM2's throughput is 600 Mbps.
  Thank you.
  Edward

• IDSM-2, inline and Passive mode in same Module?

  Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

• Throughput of IDSM-2

  Cisco Doc says the IDSM-2's throughput is 600Mbps in promiscuous mode, so what throughput I would get if I just send traffic to one data port.

  From the real-world note: We have numerous Cisco IDS devices, from 4215s up through 4250XLs and IDSM-2s. None of them meet their rated numbers, most start dropping packets at 1/3 of their claimed capacity. This is even after several TAC cases and extensive investigation by TAC engineers and internal developers. Maybe if you shut of 90% of signatures you could get there. Don't believe the hype.

• How many in-line VLAN pairs are supported on IDSM-2

  Hi Netpros,
  I have a couple of questions and would appreciate your assistance.
  1.- Is there any limitation regarding the number of in-line VLAN pairs which can be monitored  by the IDSM-2.  Using the below version in the cat 6K. I need to monitor about 10 VLAN pairs using in-line mode.
  Core 1:  Version  12.2(18)SXD7
     1 Centralized Forwarding Card WS-F6700-CFC       SAL1126STTL   3.1    Ok
    2 Centralized Forwarding Card WS-F6700-CFC       SAL1121PELM   3.1    Ok
    3 Centralized Forwarding Card WS-F6700-CFC       SAL1126SXJG   3.1    Ok
    4 Centralized Forwarding Card WS-F6700-CFC       SAL1105FV2Z   2.1    Ok
    5 Policy Feature Card 3       WS-F6K-PFC3B       SAD09460517   2.1    Ok
    5 MSFC3 Daughterboard         WS-SUP720          SAD094608WX   2.3    Ok
    6 Policy Feature Card 3       WS-F6K-PFC3B       SAL1005C5WC   2.2    Ok
    6 MSFC3 Daughterboard         WS-SUP720          SAD091300RC   2.7    Ok
    7 Centralized Forwarding Card WS-F6700-CFC       SAL1134YWA3   4.0    Ok
  Core 2:   Version 12.2(18)SXF10
    3  Centralized Forwarding Card WS-F6700-CFC       SAL1049A4BD  2.1    Ok
    4  Centralized Forwarding Card WS-F6700-CFC       SAL1133XJKG  3.1    Ok
    5  Policy Feature Card 3       WS-F6K-PFC3B       SAL1133XJZF  2.3    Ok
    5  MSFC3 Daughterboard         WS-SUP720          SAL1133XMQF  3.0    Ok
    9  Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD125003MC  2.1    Ok
  2.-  Do I need to create one virtual sensor per in-line VLAN pair ?
  Your assistance would be much appreciated.

  I don;t know if there is an actual number, but I thought I remember the simultaneous number of VLAN pairs supported by the IPS OS was quite high. I'm currently running IDSMs with well over 10 VLANs.
  You do not need to create a separate virtual sensor for each VLAN (That would use up your system resources quite quickly, as it is you can expect to get about 6K connections/sec and about 250Mb/s of throughput in a single sensor instance). You would only want a separate virtual sensor if you needed wildly different signature policies on each VLAN that couldn't;t be otherwise handled by Event Action Filters and Overrides.
  - Bob

• Idsm 2- IPS Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  Hello
  1. If configure properly, it will definitely not break any connectivity (its a bump in the wire). Of course if some traffic is denied by any IPS signature itself, that is a different matter. Please see this example for more help:
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
  2. Inline mode is deployed where you want proactive protection and the the IPS box you have has sufficient throughput and other resources that will allow it to monitor that segment of your network (or multiple segments for that matter..)
  Regards
  Farrukh

• IDSM-2 Performance

  IDSM-2 gives 500Mbps in IPS mode and 600Mbpgs in IDS mode. Bundling 4 IDSM-2 in single chassis gives 2Gbps performance with Sup 32. But the FWSM provides 5Gbps throughput and the Sup 720 supports 40Gbps switching. What is the disconnect here? How do you design your IDSM-2s to support 5Gbps throughput when you have a single FWSM supporting 5Gbps?

  If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.
  NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.
  So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.
  The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis.

• IDSM-2 best practices

  Hi,
  How many types of signatures need to be enable while IDSM-2 deploying in Data Center behind FWSM?
  Thanks

  Thank you for your response!!!
  We are planning to deploy IDSM-2 at client site. Customer is asking few things:
  1. If we install it in promiscuous mode then what will be the best utilization and design for this module,
      how to configure it
  2. If we install it in inline mode then what will be the best utilization and design for this module, how to configure it.
  Let me to explain you few things:
  They have multiple vlans in Cisco 6509 Switch and the servers are placed behind the firewall (FWSM), they want to inspect all vlans traffic forwarding towards server farm. 
  To fulfill their requirements, we recommend them to install IDSM-2 in promiscuous mode, as this module has less throughput and also advise them to keep up to date the latest signatures in IDSM-2. On our recommendation, they want some experts to weight it or advise if some other best practices design to install IDSM-2 in their network.
  I really appreciate if you add your valuable inputs in this regard, as we have to deploy this module in coming weekend. Your early response will be highly appreciated.
  Thanks in advance!

• Bridging FWSM VLAN via IDSM

  I have briged the FWSM VLANs ( named DMZ,DMZ-BRIDGE) via the IDSM. However, on the 'show failover' on FWSM the server VLAN shows as 'No Link/Unknown'. Is it because there is no IP assigned. Is it the right status/configuration. Do I need to assign an IP to the bridged VLAN. Please assist.
  This host: Primary - Active
  Interface DMZ-BRIDGE (0.0.0.0): No Link (Not-Monitored)
  Other host: Secondary - Standby Ready
  Interface DMZ-BRIDGE (0.0.0.0): Unknown (Not-Monitored)

  In most of the data centers IDSM could be a bottleneck due to its 600Mbps(Promiscuous) & 500Mbps(inline) limitation.
  If its placed inline and has no capacity to process new packets then like any other inline device it will start dropping packets.
  In your case you need to know the throughput needed between segments.
  If you are not sure then dont use IDSM in inline mode.
  In promiscouous mode, using VACL you can define traffic to be examined by Sensor using ACLs.
  Although IPS exist at the WAN/Internet Layer, its still desirable to have IPS/IDS at service layer to protect resources from getting compromised.
  When we say bridging vlans using IDSM then we mean IDSM in inline mode. In case of ACE if you want to use IDSM inline then you will bridge server vlan interface of ACE & Actual Server Vlans.
  Vlan X (client vlan) ACE (Server Vlan)Vlan Y IDSM (Real Server Vlan) Vlan Z
  In the above example you will bridge vlan Y & Z.Since you are bridging the two vlans, Same IP address space will be used in the two Vlans.
  Syed

• IDSM inline VLAN pairing

  We have cat 6509 switch with FWSM, IDSM-2, NAM modules. Customer wants all the internal VLAN's to be monitored by IDSM in inline mode. Customer has around 400 VLANS in datacenter and wants to monitor all communications between VLAN's. How do I monitor all VLAN's when IDSM has 2 data ports and can only span 255 vlan groups per port?
  Please suggest!
  Vinod

  I don't know if anyone is still watching this or not but that's a lot of VLANs to go through a (single?) IDSM. Technically you should be able to do it by splitting the VLAN pairs across the two data ports (i.e. vlan 2-200,1002-1200 on DP 1 and vlan 300-500,1300-1500 on DP 2). Considering each IDSM only has a throuput of 500MBps when deep scanning, you're going to potentially be limiting your throughput considerably if you do this.

• IDSM inspection load on 100%

  Now I have IDSM with 100% inspection load on busy hour and followed by missed packets percentage increasing at that time. 
  The IDSM interface is setting as promiscuous interface
  Is it means my network throughput will limited by IDSM max inspection load / throughput which is 600Mbps?
  Thank you
  Marcel.

  No, the throughput wil not be limited in the network when you are in promiscous mode. But your visibility for attacks is highly limited.
  You should configure your span/capture settings on the 6k5 to only send as much traffic to the IDSM as this module can handle.
  Just remember that the IDSM-2 is a ten years old system and can't catch up with the typical traffic-demand we are having nowadays.
  It's time to change the IDSM against an actual external sensor.

• What happens when IDSM-2 performance is exceeded

  Hi,
  we have IDSM-2 with about 20 inline vlan pairs in test environment. What happens to inline traffic when we exceed declared throughput of 500 Mbps? Is traffic dropped or is it forwarded without IPS inspection.

  If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.
  NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.
  So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.
  The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis.

• AP1231G-A-K9 access points - very slow throughput - Is TKIP the issue?

  I recently setup our small office network using the following setup:
  Cablemodem <--> router <--> 1231AP(role root bridge with wireless clients) <-> 1231AP(role non-root bridge with wireless clients)
  Code on both APs: 12.3(8)JEE
  Office network generally has less than 3 wireless clients connected at any one time to either AP.
  AP's are a mere 50' apart; clients are all less than 30' from either AP; they all show excellent signal and connected at 54mbps signaling rates.
  All is/has been working very well & very stable with the exception of speed. We have business class service from RR, approx 25mbps dl, 2mbps ul. Any hardwired client to the router switch ports are able to download at speeds averaging 23mbps. Any wireless client connected to either AP is never able to exceed download speeds of 5mbps. With no other wireless clients connected except my one test client, I was not able to exceed 5mbps throughput from either AP that I connected to.
  I can confirm that the ethernet connection between the router and root bridge is up at 100mbps-FD and not showing any errors:
  ap#sh interfaces FastEthernet0
  FastEthernet0 is up, line protocol is up
    Hardware is PowerPC405GP Ethernet, address is 0013.60cf.bb29 (bia 0013.60cf.bb29)
    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Full-duplex, 100Mb/s, MII
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/160/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 5000 bits/sec, 0 packets/sec
    5 minute output rate 1000 bits/sec, 1 packets/sec
       8054605 packets input, 3141009145 bytes
       Received 46005 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog
       0 input packets with dribble condition detected
       4076106 packets output, 411952731 bytes, 0 underruns
       0 output errors, 0 collisions, 4 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
  Wandering thru the cli on either AP shows that all wireless clients are indeed connected at 54mbps to their respective AP and the two AP's are connected happily at 54mbps signaling:
  Address           : 0013.1a37.b3e0     Name             : ap
  IP Address        : 192.168.0.120      Interface        : Dot11Radio 0
  Device            : 11g-bridge         Software Version : 12.3
  CCX Version       : NONE
  State             : Assoc              Parent           : Our Parent        
  SSID              : Tsunami
  VLAN              : 0
  Hops to Infra     : 0                  Association Id   : 44
  Tunnel Address    : 0.0.0.0
  Key Mgmt type     : WPA PSK            Encryption       : TKIP
  Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
  Supported Rates   : 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  Voice Rates       : disabled
  Signal Strength   : -51  dBm           Connected for    : 75169 seconds
  Signal to Noise   : 26  dB            Activity Timeout : 14 seconds
  Power-save        : Off                Last Activity    : 1 seconds ago
  Apsd DE AC(s)     : NONE
  Packets Input     : 1050695            Packets Output   : 296536   
  Bytes Input       : 474651248          Bytes Output     : 96734573 
  Duplicates Rcvd   : 0                  Data Retries     : 63646    
  Decrypt Failed    : 0                  RTS Retries      : 0        
  MIC Failed        : 0                  MIC Missing      : 0        
  Packets Redirected: 0                  Redirect Filtered: 0
  Here is a config snippet from the AP non-root bridge with wireless clients:
  dot11 ssid Tsunami
     authentication open
     authentication key-management wpa
     guest-mode
     infrastructure-ssid optional
     wpa-psk ascii 7 (snipped)
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid Tsunami
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role non-root bridge wireless-clients
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp client-id FastEthernet0
  no ip route-cache
  bridge 1 route ip
  (The AP root-bridge with wireless clients config is identical to this config with the exception of the station-role and a static IP on the BVI1 interface.)
  Are these very slow thoughput speeds normal of this hardware combination?
  I did much searching/googling and found claims that by eliminating TKIP it almost doubles the actual wireless speeds our clients can obtain. Is there any truth to this?
  Any suggestions or recommendations without changing hardware would be very welcome.
  Thanks in Advance!
  D.
  =============

  Ok, thanks for the explanation - I understand. But even at a 22mbps signaling rate shouldn't I be seeing throughputs greater than 5-5.5mbps especially since this location is literally 100% free of any outside interference and the interfaces definitely show the clients and non-root bridge (when connected) all being at the highest rate of 54mbps? I tried even in the same room, approximately 40' away, total line of sight, no obstructions, between my laptop and the root AP.
  I disconnected the non-root bridge and connected directly to the root bridge during my testing. I was still only able to achieve approx 5.5mbps download. Adding back in the non-root bridge and re-connecting to it I notice slightly lower throughput, approx 5mbps. During testing, my laptop was the only device connected to the network, all other clients were shut off.
  Here are the int stats (I've never reset the counters):
  Root Bridge:
  RATE 1.0 Mbps
  Rx Packets:           2178725 /  49    Tx Packets:                   39 /   0
  Rx Bytes:            335124036 /7595    Tx Bytes:                   4965 /   0
  RTS Retries:               61 /   0    Data Retries:                  5 /   0
  Non-Root-Bridge:
  RATE 1.0 Mbps
  Rx Packets:           2323120 /  50    Tx Packets:                  141 /   0
  Rx Bytes:            336455923 /7595    Tx Bytes:                  17869 /   0
  RTS Retries:                2 /   0    Data Retries:                 56 /   0
  All the other rates, 2-12mbps show single or double digit packet/byte counts until I get to the 36mbps section of each interface:
  ap#sh int Dot11Radio0 stati
          DOT11 Statistics        (Cumulative Total/Last 5 Seconds):
  (snipped for brevity)
  Root Bridge:
  RATE 36.0 Mbps
  Rx Packets:            915395 /   1    Tx Packets:              2345589 /   9
  Rx Bytes:            93420936 /  70    Tx Bytes:             3370791285 / 874
  RTS Retries:                0 /   0    Data Retries:             573981 /   4
  RATE 48.0 Mbps
  Rx Packets:           2163192 /   2    Tx Packets:               216861 /   0
  Rx Bytes:            222455730 / 404    Tx Bytes:              182817967 /   0
  RTS Retries:                0 /   0    Data Retries:             106808 /   0
  RATE 54.0 Mbps
  Rx Packets:            987986 /   0    Tx Packets:               168923 /   0
  Rx Bytes:            190467269 /   0    Tx Bytes:               61665042 /   0
  RTS Retries:                0 /   0    Data Retries:              34424 /   0
  Non-Root Bridge:
  RATE 36.0 Mbps
  Rx Packets:           2368679 /   0    Tx Packets:               965419 /   0
  Rx Bytes:            3396819830 /   0    Tx Bytes:               90880825 /   0
  RTS Retries:                0 /   0    Data Retries:             242686 /   0
  RATE 48.0 Mbps
  Rx Packets:            341870 /   0    Tx Packets:              2156282 /   1
  Rx Bytes:            216497093 /   0    Tx Bytes:              215775536 / 210
  RTS Retries:                0 /   0    Data Retries:             478619 /   0
  RATE 54.0 Mbps
  Rx Packets:           1469926 /  15    Tx Packets:              2529678 /  15
  Rx Bytes:            411722698 /1122    Tx Bytes:             1366306113 /5159
  RTS Retries:                0 /   0    Data Retries:             198532 /   0
  I will try disabling the rates below 12mbps and re-test.
  I would like to try disabling all encryption and try as well.
  Do you know if the AP's will associate if there is zero encryption?

• SOFS Throughput Issues

  A question very similar to mine exists here.
  I have a SOFS cluster (3 hosts). I connected each without nic teaming at first and later tested with nic teaming. I'm using a single 10GbE Netgear M7100-24X switch. The CSV is configured as a 2-way mirror through storage space using a SAS JBOD with
  24 disks. Each host is configured the same way with 32 GB of RAM. 6 GB is set for CSV cache.
  I ran ntttcp test (v5.28) with 8 threads. Sending to the SOFS host, I get over 1100 MB/s throughput. Receiving from the SOFS, I get just under 680 MB/s throughput. So the switch looks to be working fine.
  When using LAN Speed Test (Lite), connections directly to the file share folders (\\host#\c$\ClusterStorage\Volume1\Shares\folder) for a 200MB file for each server averages to about 700 Mbps write and 2000 Mbps read. Connection to the cluster role (\\sofs\folder),
  results in 90 Mbps write and 2000 Mbps read. However, after waiting for a minute for it to start running, the speed test starts and pauses repetitively. I know this doesn't mean much because it isn't testing transfers from SMB to SMB.
  Since I can't set up another SMB to test SMB to SMB transfer, I'm jumping straight to Hyper-V. In VMM, I added SOFS file share folder to an existing vm cluster. After that, I migrated a vm to one of the hosts in the cluster with high availability checked
  and saw that it indeed used the \\sofs\folder.
  Using LAN Speed Test (Lite) on that vm and back to that particular vm host, I'm getting under 90 Mbps write and 340 Mbps read. If you recall the earlier results directly to \\sofs\folder, the write speed is similar to just regular file transfer speed, but
  the read speed is 6 times lower. Sending with ntttcp, I'm getting an average of 11 MB/s throughput, which does explain the 90 Mbps write. And receiving from the host, I'm getting an average of 42 MB/s throughput, which also explains the 340 Mbps read speed. But
  another vm hosted by the same server without SOFS is giving me 350 MB/s sending and 360 MB/s receiving to and from that host respectively. Although way faster, this does seem a little bit slower. I then ran Passmark Network Test to be thorough. Max speed
  of the vm using SOFS is 100 Mbps sending and 330 Mbps receiving. The vm without SOFS is 7500 Mbps sending and 6000 Mbps receiving. I don't know why ntttcp differs from Passmark this much. (Maybe ntttcp not as optimized for 10GbE?)
  But disregarding discrepancies on the results for the vm without SOFS, it is still clear that the vm with SOFS as storage is way slower. To rule out nic teaming as the solution to my problems, I've set up nic teaming (switch independent and dynamic) to all
  the SOFS hosts. I didn't get much difference in the results. As I do not have another switch, I don't think nic teaming helped with the load balancing. And I haven't set up link aggregation (MLAG) on the switch either.
  Is this the speeds that I should be getting, or are there other optimizations or configurations you can suggest? I'll be honest, a single vm on SOFS doesn't lag very much if at all despite its awful throughput I'm currently getting. What I'm scared of is
  if I put 50 vms and have SQL Server run off the SOFS.

  I'm using normal 10 GbE NIC with just RSS; I should have mentioned that I'm only using Intel X520-T2 nics.
  As for getting 7500 Mbps throughput on the VM host without using SOFS, let me clarify. On host A, I have two virtual machines. One VM is set up to use SOFS and HA, the other one is just on host A itself. The VM on SOFS is giving me 90
  Mbps write and 340 Mbps read. And the VM stored on the host itself is giving me 7500 Mbps write
  and 6000 Mbps reading. BTW, typically I get better read speeds than writes, it might be the day and hour. Earlier today when I reran the benchmarks, it was 7300/7500 Mbps write/read. The VM with the SOFS is still the same however.
  I was told before that we don't need RDMA at a Microsoft conference, but now I think it's only true for a lab environments... The company I work for does not have
  the budget to buy RNIC and SFP+ switches for now.
  I'm going to try to implement these
  solutions first. I currently only using a single VNIC. Give me a day or two.
  What I'm currently wondering about is that the DNS servers on the network are not on the 10 GbE network. I'm wondering if the data is staying on the 10 GbE network and not going out to the 1 GbE network first. This is a total guess.