[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: high-end firewall



Vince Mulhollon wrote:
> 
> On 08/24/2001 07:24:28 PM Blars Blarson wrote:
> 
> >> Since I havn't found a pre-packaged solution that fits our needs,
> >> I'm looking into using a linux box as a router.
> 
> This is totally offtopic, and I'm not even remotely trying to plug a
> product, but are you saying that your Cisco rep said "Can't help ya, please
> go away" ?  I find that very hard to believe.  Tell your rep to try harder.
> 
> >> We have a /24 with around 150 systems on it, and growing.  The
> >> incoming feed is 100baseFX full duplex, with a T3 bottleneck upstream.
> >> We have 10 managed 24-port Fast ethernet switches (in four locations)
> >> connected together with 1000baseSX.  Our users are in several
> >> different departments, and it would be best to group them.  (The
> >> switches can do VLANs.)
> 
> >> Would a gigahertz Pentium 3 be able to handle the load of routing
> >> between several 100baseTX cards without being a bottleneck?
> 
> At the low end, CPU power is the limitation.
> 
> For my example, my 486-25 needs about 10% CPU to push a measured half a
> megabit thru my DSL.  This is kernel 2.4 with very simplistic iptables
> config, etc.  If I went crazy with access control lists or similar I could
> "probably" max it out.  I've never heard of anyone in a non-bug,
> non-admin-screwup situation maxing out a pure firewall box, although it's
> possible.  Of course someone or something that screws up a 386-16 will
> screw up a gig pentium, just sixty times faster.
> 
> For your example, pushing a T3 will require (45 / .5) = about 90 times the
> bandwidth, but CPU power (1ghz / 25 Mhz) = about 40 times faster.  So
> expect maybe 20% utilization for your box on a full T3, assuming perfect
> linear scaling (which is probably a dumb assumption).  In summary, it'll
> almost certainly work, although I've never tried something like that.
> 
> At higher end, bus capacity is the limitation.
> 
> For your example, lets say you install qty 3 fourport 10/100 cards.  That's
> 12 * 100 = 1200 megabits of traffic (peak), which will not fit on a PCI
> bus.  That's why people pay $100 for a sixport 10/100 switch at CompUSA
> instead of trying to stick six 10/100's in a linux box running bridging,
> even if you have the hardware laying around unused.
> 
> I have not considered the memory requirements of "ip NAT / ip masquerade"
> nor how that scales.  Lets see, 45 megs, feeding 56K end users, each of
> which using 10 active connections, and oversubscribe the works by a factor
> of 10, hmm thats 80358 NAT'ted connections.  That will require at least two
> IP addresses to hold the ports if nothing else.
> 
> Probably the single best thing anyone trying to learn networking can do, is
> get about half a dozen old 486/386 and a bunch of LAN cards and install a
> stripped down Debian on each.  Then wire it all up.  Just installing Zebra
> and playing with BGP is worth it alone.  Then you play with access control
> lists, etc.  Very educational.
> 
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
thanx for the tip...



Reply to: