Greetings!
On Tue, 06 Sep 2005 10:08:09 +0200
Javier Miguel Rodríguez <javier.miguel@talika.eii.us.es> wrote:
I have to build a FAST Linux firewall (12 gigabit ethernets), and I
need your advice
Compaq Proliant DL380g4 (1 xeon 3.6 ghz, with hyperthreading, pci-x
based, 1 gb ram)
2 broadcom gigabit ethernet cards (tg3 driver)
3 intel quad gigabit ethernet cards (e1000 driver)
...but with 64bit PCI-X @100 MHz for most of the interfaces you have an
internal bottleneck with a theoretical limit at ~6 Gbit/s for the bus
lines alone.
According to the proceedings of Netfilter Developer Workshop 2004
(09/2004):
"Problems with Intel 4 port cards because of additional PCI bridge.
Lose 30% of performance
[...]
PCI-X will have similar problems with multi-port cards E1000 PCI-x
is broken with message signal interrupts.
[...]
building as 64bit kernel hurts performance, this is assumed because skb
grows another cache line because of large pointers
[...]
ip stack needs help to get better SMP scaleability
with perfect affinity CPU's get only 20% gain with second Xeon"
Full test (nat, mangle, filter, ip_conntrack): down to 40% of raw
throughput.
My ruleset will be rather short: 500-600 lines, with SNAT/DNAT in
about 5% of these rules. Only ipv4 will be used in this firewall
setup.
According to HIPAC testing the throughput started caving in at ~500
rules, so make sure you have the right order (most used on top) and do
not grow larger.
I expect substained rates of 300-400 megabits on EACH gigabit
interface,
400 Mbit/s * 11 interfaces = 4,4 Gbit/s
With ~6 Gbit/s as theoretical upper bus line limit alone that's quite a
close call. Especially if applying the reported 30% loss for the intel
quad cards...
So my guess is that the hardware won't support it. For one the bus limit
alone probably won't allow the throughout (I don't know the
interconnections between the busses - thus assumed the PCI-X as main
bus). I am not sure about the CPU power, but for my gut feeling that's
uncomfortably close, too.
Compared with CheckPoint firewall datasheets the HP DL-380 is put into
the 1-3Gbit/s category, so that's not increasing hope either.
So I'd suggest, to be on the safe side either do a gateway
reconfiguration so you can distribute the load onto several dedicated FW
systems (one Mail-FW, a Web-FW, one VPN-System, etc.) - or head for the
really big, proprietary irons, which usually are of the load-balanced
blade type (e.g. the big Crossbeams, Alteons). But with them you are at
the end of the expansion road.
So the next network traffic increase will have to be countered with a
new network topology anyway. So I'd suggest to really re-think your
current network topology.
Good luck!
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
