RE: High throughput bgp links using gentoo + stipped kernel

[MailPlus| David Hofstee <david () mailplus nl>]

This is what we do too: Separate firewalling and routing. We use Vyatta for both and it works. Bye,

David  

-----Oorspronkelijk bericht-----
Van: Matt Palmer [mailto:mpalmer () hezmatt org] 
Verzonden: zondag 19 mei 2013 23:32
Aan: nanog () nanog org
Onderwerp: Re: High throughput bgp links using gentoo + stipped kernel

On Sun, May 19, 2013 at 11:48:17AM -0400, Nick Khamis wrote:
> We do use a statefull iptables on our router, some forward rules...
> This is known to be on of our issues, not sure if having a separate 
> iptables box would be the best and only solution for this?

I don't know about "only", but it'd have to come close to "best".  iptables (and stateful firewalling in general) is a 
pretty significant CPU and memory sink.  Definitely get rid of any stateful rules, preferably *all* the rules, and 
apply them at a separate location.  We've always had BGP routing separated from firewalling, but we're currently 
migrating from one-giant-core-firewall to lots-of-little-firewalls because our firewalls are starting to cry a little.  
Nice thing is that horizontally scaling firewalls is easy -- just whack 'em on each subnet instead of running 
everything together.  Core routing is a little harder to scale out (although as has been described already, by no means 
impossible).  The important thing is to remove *anything* from your core routing boxes that doesn't *absolutely* have 
to be there -- and stateful firewall rules are
*extremely* high on that list.

- Matt

--
When the revolution comes, they won't be able to FIND the wall.
                -- Brian Kantor, in the Monastery