nanog mailing list archives
Re: 10GE router resource
From: Adrian Chadd <adrian () creative net au>
Date: Thu, 27 Mar 2008 15:43:40 +0900
On Thu, Mar 27, 2008, Andrew C Burnette wrote:
Indeed. PCI-X is already an EOL'ed interface, if only cheap PCI-X cards were available. Once you add extensive ACL's, there's loads more [central] processing to be done than just packet routing (100k choices versus 2 to 4 interfaces). System throughput gets slammed rather quickly. Linux IPtables grumbles painfully at 100k line ACLs :) Not to mention the options of what to do with a packet are very limited.
I agree, and the rest of the discussion is interesting, but the iptables deployments I've seen which do massive ACLs like this almost certainly end up having ACLs you can collapse into a small number of set-lookup-and-act rules. Those set-lookup-and-act rules are much faster than the linear ACL lookups which ipfw/iptables/ipf/pf/etc do by default (and all of them support IP sets in some form or other); I did this trick recently to reduce the CPU overhead on an old revision 2.8ghz P4 from 99% to <10% when routing 100mbit of average-pps TCP. Adrian
Current thread:
- Re: 10GE router resource, (continued)
- Re: 10GE router resource Paul Vixie (Mar 26)
- Re: 10GE router resource Peter Wohlers (Mar 26)
- Re: 10GE router resource Robert Bays (Mar 26)
- Re: 10GE router resource Sargun Dhillon (Mar 26)
- Re: 10GE router resource William Herrin (Mar 26)
- Re: 10GE router resource Sargun Dhillon (Mar 26)
- Re: 10GE router resource William Herrin (Mar 26)
- RE: 10GE router resource michael.dillon (Mar 26)
- RE: 10GE router resource Buhrmaster, Gary (Mar 26)
- Re: 10GE router resource Andrew C Burnette (Mar 26)
- Re: 10GE router resource Adrian Chadd (Mar 26)
- Re: 10GE router resource Christopher Morrow (Mar 25)
- Message not available
- Re: 10GE router resource Robert Boyle (Mar 25)
- Re: 10GE router resource Eddy Martinez (Mar 25)