Re: Debian routers + firewalls for large ISP?
you have to understand that a GigaE full load will got 1.5Million packet
per second. If you want to use 10GB/sec which would be 15Million packet
per second, which is impossible to handle by ANY PC based server at all,
you could either use cluster or Cisco, dude, you have to understand WHY
people buying Cisco rather than build it on PC. Cisco use ASIC chip for
specific type of packet processing and PC just for general usage which
means it is good for everything general, but not strong on any field.
> Hi all,
> I'm looking for experts advice about possible firewalling with debian.
> needing to serve a very heavy load of clients/bandwidth and I'm not sure
> it is do-able with Linux based OSs and today's machine, due to my test
> Here's the specs:
> 1) Serving video + audio streaming only, clustered environment pushing
> the stuff
> 2) 10GB/second sustained bandwidth, 40GB/second peaks (long peaks,
> sometimes hours), growing fast
> 3) 200 000 simultaneous clients, growing, expecting 0.5 million within a
> 3) Service responding on a specific port, serving through established
> non-priv ports
> 4) Need redundancy on the firewalling and interfaces.
> 5) We would prefer to be able to manage Linux boxes rather than Cisco
> We are looking at Cisco 6500 series routers + redund. options that we
> can add to it,
> cause what we've tried with linux so far "dies under the load".
> The firewall ruleset is small as we're listening to 1 port for this
> but it seems that no matter the "super computers" we tried, they would
> all crawl
> to their death due to heavy processor usage by iptables.
> Should it be doable to serve such traffic through iptables on debian, if
> what would be the best way to approach this. I cannot fail, this is 24/7
> Maybe we had too many connections per adapters, filling the 65k ports,
> didn't have
> much time to look at it, we had to put the original routing back on fast
> when our tests
> Thanks in advance for any help you may provide, guidance to accomplish
> this with success
> would be very appreciated.
> BTW, $$$ for required hardware is not an issue... so if you suggest
> pricey stuff, I don't care.
> Martin H.
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Thomas G. Lau
Technical Support Engineer
Address: 22/F China Online Centre,
333 Lockhart Road,
Wanchai, Hong Kong
Dedicate, Performance, Reliable --- PowerNetix Datacenter: Department of
No one shall see the face of light with my spirit behind,
rise into the falling sky.
Brave breakdown into tiny piece,
fear comes with darkness cover me.
Ice will fall right after this,
light will never come again!
- Thomas G. Lau
"The walls between art and engineering exist only in our minds." - Theo