List Info

Thread: Re: 10GE router resource
Re: 10GE router resource
country flaguser name
United States		 2008-03-25 20:15:57 

  


  

    
I ALSO HAD TO SWITCH TO OPENBSD AS THERE WAS A FATAL CRASH WITH THE BRIDGE DEVICE IN FREEBSD WHEN USED WITH MY PATICULAR OPENVPN/CARP/PF COMBINATION.

AFAIK PF/FORWARDING ONLY TAKES PLACE ON ONE CORE AND WOULDN'T TAKE ADVANTAGE OF THE OTHER 3 CORES, CORRECT?

-PATRICK

----- ORIGINAL MESSAGE -----
FROM: "ADRIAN CHADD" <ADRIANCREATIVE.NET.AU>
TO: "CHRIS GRUNDEMANN" <CGRUNDEMANNGMAIL.COM&GT;
CC: "WILLIAM HERRIN" <HERRIN-NANOGDIRTSIDE.COM>, NANOGNANOG.ORG
SENT: TUESDAY, MARCH 25, 2008 6:02:03 PM (GMT-0800) AMERICA/LOS_ANGELES
SUBJECT: RE: 10GE ROUTER RESOURCE


ON TUE, MAR 25, 2008, CHRIS GRUNDEMANN WROTE:

&GT; TO ANN'S QUESTION ON RESOURCES; I HAVE ONLY USED LINUX ROUTERS WITH 1G
> PORTS BUT HAVE SURPASSED 10G TOTAL THROUGHPUT (UP+ DOWN) USING VARIOUS
&GT; DUAL PROC SET UPS, MOST OFTEN INTEL XEON IN DELL SERVERS. &NBSP;A GENTLEMEN
> BY THE NAME OF MARTIN PELS WROTE A GOOD PAPER ON THE SUBJECT EARLY
> LAST YEAR THAT CAN BE FOUND HERE:
> HTTP://DOCS.RODECKER.NL/10-GE_ROUTING_ON_LINUX.PDF. &NBSP;HE HIT A WALL AT
> 700K PPS AND WAS USING TWO DUAL CORE INTEL XEON 64BIT 2.33GHZ CPUS AND
> 2GB OF RAM IN A DELL POWEREDGE 1950.

MIKE TANCSA DID SOME BENCHMARKING IN LATE 2006:

HTTP://WWW.TANCSA.COM/BLAST.HTML

I THINK THINGS ARE SLIGHTLY FASTER NOW BUT NOT BECAUSE OF A MASSIVE
CHANGE IN SOFTWARE ARCHITECTURE.




ADRIAN


  

  
  
   
     
    

  

    Re: 10GE router resource
  


  

     user name

     2008-03-25 21:13:24
  


  

    
On Tue, Mar 25, 2008 at 6:15 PM, Patrick Clochesy
<patrickchegg.com> wrote:
> Very interesting study I had not seen, and a bummer.
That really puts a
> cramp in my advocation of our CARP+pf load
balancers/firewalls/gateways.
> Than again, what's a PIX box capable of?

I'd rather tweak a whitebox than pay through the nose for a
PIX.

> I also had to switch to OpenBSD as there was a fatal
crash with the bridge
> device in FreeBSD when used with my paticular
OpenVPN/CARP/pf combination.
>
> AFAIK pf/forwarding only takes place on one core and
wouldn't take advantage
> of the other 3 cores, correct?

Correct. There has been some great speed and efficiency
improvements
in pf and other networking parts of OpenBSD; though from
anecdotal
evidence, 10GbE is not ready for 'primetime' (for certain
definitions
of 'primetime').

actually I'll just skip making an ass out of myself and hope
henning
chimes in, since I believe he reads NANOG as well.

aaron.glenn



  


  

    
  

  
  
   
     
    

  

    Re: 10GE router resource
  


  

     country flaguser name
Australia		
     2008-03-25 21:53:48
  


  

    
On Tue, Mar 25, 2008, Patrick Clochesy wrote:
> Very interesting study I had not seen, and a bummer.
That really puts a cramp in my advocation of our CARP+pf
load balancers/firewalls/gateways. Than again, what's a PIX
box capable of? 

Well, you get what you pay for. If you're willing to blow
$10k on a
firewall, maybe you'll be willing to blow $10k on a *BSD
developer
to work on improving forwarding performance.

It'd only take ten or so people to make donations or sponsor
work
of that size for the benefits to appear.

> I also had to switch to OpenBSD as there was a fatal
crash with the bridge device in FreeBSD when used with my
paticular OpenVPN/CARP/pf combination. 

Did you log a bug? 

> AFAIK pf/forwarding only takes place on one core and
wouldn't take advantage of the other 3 cores, correct? 

Uhm, its not quite that simple. ithreads on FreeBSD at least
will run on
one CPU at a time (unless you're running some hacked up
russian-driven
intel gige driver, which runs multiple ithreads for the
device to improve
performance under certain circumstances!) and these classes
of cards and
busses wouldn't benefit from >1 core contending for one
card/bus.

If you're running >1 card then you may find the ithreads
run on different
CPUs, each doing lookups and forwarding, but I haven't sat
down and looked
at that sort of forwarding performance under FreeBSD. My
focus at the moment
is "tcp proxy on a stick" throughput with one
interfaces and >1 core doing
userland processing.




Adrian




  


  

    
  

  
  
   
     
    

  

    RE: 10GE router resource
  


  

     country flaguser name
United States		
     2008-03-26 08:18:34
  


  

    

  


  

    





TO ANSWER YOUR QUESTION, THE 5580 ASA (PIX IS EOS IF YOU DIDN€™T
KNOW) IS CAPABLE OF 10G €śHTTP€ť TRAFFIC AND 20G €śJUMBO FRAME€ť PACKETS.  HOWEVER,
64-BYTE PACKET RATE IS €śLIMITED€ť TO 4,000,000PPS.  AND YES, YOU WILL PAY FOR
THAT PERFORMANCE.  YOU GET A LOT MORE THAN JUST A PACKET FILTER WITH THE ASA
THOUGH.



&NBSP;






FRED REIMER, CISSP, CCNP, CQS-VPN, CQS-ISS



SENIOR NETWORK ENGINEER



COLEMAN TECHNOLOGIES, INC.



954-298-1697






&NBSP;









FROM:
OWNER-NANOGMERIT.EDU [MAILTO:OWNER-NANOGMERIT.EDU] ON BEHALF OF PATRICK
CLOCHESY

SENT: TUESDAY, MARCH 25, 2008 9:16 PM

TO: ADRIAN CHADD

CC: NANOGNANOG.ORG

SUBJECT: RE: 10GE ROUTER RESOURCE









&NBSP;




VERY
INTERESTING STUDY I HAD NOT SEEN, AND A BUMMER. THAT REALLY PUTS A CRAMP IN MY
ADVOCATION OF OUR CARP+PF LOAD BALANCERS/FIREWALLS/GATEWAYS. THAN AGAIN, WHAT'S
A PIX BOX CAPABLE OF?



I ALSO HAD TO SWITCH TO OPENBSD AS THERE WAS A FATAL CRASH WITH THE BRIDGE
DEVICE IN FREEBSD WHEN USED WITH MY PATICULAR OPENVPN/CARP/PF COMBINATION.



AFAIK PF/FORWARDING ONLY TAKES PLACE ON ONE CORE AND WOULDN'T TAKE ADVANTAGE OF
THE OTHER 3 CORES, CORRECT?




-PATRICK



----- ORIGINAL MESSAGE -----

FROM: "ADRIAN CHADD"; <ADRIANCREATIVE.NET.AU>


TO: "CHRIS GRUNDEMANN" <CGRUNDEMANNGMAIL.COM&GT;

CC: "WILLIAM HERRIN&QUOT; <HERRIN-NANOGDIRTSIDE.COM>,
NANOGNANOG.ORG

SENT: TUESDAY, MARCH 25, 2008 6:02:03 PM (GMT-0800) AMERICA/LOS_ANGELES


SUBJECT: RE: 10GE ROUTER RESOURCE






ON TUE, MAR 25, 2008, CHRIS GRUNDEMANN WROTE:



> TO ANN'S QUESTION ON RESOURCES; I HAVE ONLY USED LINUX ROUTERS WITH 1G

> PORTS BUT HAVE SURPASSED 10G TOTAL THROUGHPUT (UP+ DOWN) USING VARIOUS

> DUAL PROC SET UPS, MOST OFTEN INTEL XEON IN DELL SERVERS. &NBSP;A
GENTLEMEN

> BY THE NAME OF MARTIN PELS WROTE A GOOD PAPER ON THE SUBJECT EARLY

&GT; LAST YEAR THAT CAN BE FOUND HERE:

&GT; HTTP://DOCS.RODECKER.NL/10-GE_ROUTING_ON_LINUX.PDF. &NBSP;HE HIT A WALL AT

> 700K PPS AND WAS USING TWO DUAL CORE INTEL XEON 64BIT 2.33GHZ CPUS AND

> 2GB OF RAM IN A DELL POWEREDGE 1950.




MIKE TANCSA DID SOME BENCHMARKING IN LATE 2006:




HTTP://WWW.TANCSA.COM/BLAST.HTML



I THINK THINGS ARE SLIGHTLY FASTER NOW BUT NOT BECAUSE OF A MASSIVE

CHANGE IN SOFTWARE ARCHITECTURE.










ADRIAN






  

  
  
   
     
    

  

    Re: 10GE router resource
  


  

     country flaguser name
United States		
     2008-03-27 09:12:27
  


  

    
Patrick Clochesy wrote:
> Very interesting study I had not seen, and a bummer.
That really puts a cramp in my advocation of our CARP+pf
load balancers/firewalls/gateways. Than again, what's a PIX
box capable of? 
> 
> I also had to switch to OpenBSD as there was a fatal
crash with the bridge device in FreeBSD when used with my
paticular OpenVPN/CARP/pf combination. 
> 
> AFAIK pf/forwarding only takes place on one core and
wouldn't take advantage of the other 3 cores, correct? 
> 
> -Patrick 
> 

http://pf4fr
eebsd.love2party.net/pflock/ is worth a quick read. 7.0

already supports some SMP networking but when the pflock
changes are 
done you'll likely see some pretty serious performance from
those devices.

Regards,

	Chris



  


  

    
  

  
  
   
     
    






 [1-5]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )