I'm trying to set up a redundant firewall configuration. We have two GE
links that redundantly (though both active) feed an array of servers. I'd
like to interrupt each GE link with a PC acting as a firewall.
First of all, we can't easily do any stateful firewalling because
packets can take either link, and thus pass through either PC. That's fine.
Mostly what we want is to get detailed traffic statistics in as near real
time as possible and apply packet filters. They can be as coarse as 'block
this IP'.
I have a lot of questions:
1) I've heard that the Intel GE cards work the best with Linux because
of their NAPI support. Is this true? There are a lot of different Intel GE
cards with vastly different prices, do they perform much differently?
2) I've heard that there are issues with SMP in high-speed packet
filters and we should prefer a fast single CPU machine. Is this true, or
rumor/outdated?
3) Are there any good software firewall packages that will allow us to
see the traffic statistics on the inbound GEs in real time? A web interface
that could show us which IPs are generating/receiving the most traffic, for
example. Something to synchronize the config on the two boxes would be nice
too (though we can hack that up ourselves easily enough.)
4) We'd like to be able to handle at least 500Mbps total (25% line
rate). (The line rate would be 4Gbps, 1Gbps in on each of the two ports,
1Gbps out on each of the two ports.) Is this realistic?
5) I can't use GE ports built into motherboards because I need to
support fiber in the future. Will this hurt me a lot because I can't use
that new Intel thing where the GigE port connects directly to the MCH? Do I
need to look for motherboards with dual independent PCI-X busses? Do these
even exist?
6) Any dual-GigE Linux success stories? What motherboards, processors,
and Ethernet cards did you use? How much bandwidth could you handle at what
kind of CPU load? How much were you able to do to the packets without
melting down? Any special kernel versions/options?
In the past, we tried a dual-FE setup and had dismal results. Interrupt
storms slowed the system to a crawl at 200Mbps total or so. We expected full
line rate (400Mbps) to work. So we're asking a lot more questions this time.
DS
|
Similar Threads
Linear Mode
