A company is migrating its legacy firewall services to a virtualized environment using Cisco NFV. The network engineer deploys a virtual firewall (vFW) on an NFVIS-enabled UCS platform. After the deployment, traffic through the vFW is intermittent and performance monitoring shows high CPU usage on the host. Which action should the engineer take to improve performance?
Correct because SR-IOV allows the vFW to directly access the physical NIC, reducing CPU overhead and improving throughput.
Why this answer
SR-IOV (Single Root I/O Virtualization) allows a physical NIC to present multiple virtual functions (VFs) directly to a VM, bypassing the hypervisor's virtual switch and reducing CPU overhead for packet processing. In an NFVIS environment, high host CPU usage with intermittent traffic indicates that the vFW is consuming excessive CPU cycles due to software-based I/O. Assigning VFs to the vFW offloads packet handling to the NIC hardware, lowering host CPU utilization and stabilizing traffic.
Exam trap
The trap here is that candidates often assume adding more vCPUs (Option B) will solve performance issues, but Cisco tests the understanding that I/O bottlenecks in NFV are typically resolved by hardware offload techniques like SR-IOV, not by increasing compute resources.
How to eliminate wrong answers
Option B is wrong because increasing vCPUs can actually worsen CPU contention and overhead in a virtualized environment, especially if the bottleneck is I/O processing rather than compute capacity. Option C is wrong because QoS policies manage traffic prioritization but do not reduce the underlying CPU overhead caused by inefficient I/O virtualization; they may even add additional processing load. Option D is wrong because disabling hyperthreading reduces logical CPU cores, which can decrease overall throughput and increase latency, contrary to the goal of improving performance.