[103331] in North American Network Operators' Group
Re: 10GE router resource
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Tue Mar 25 22:40:33 2008
Date: Wed, 26 Mar 2008 11:53:48 +0900
From: Adrian Chadd <adrian@creative.net.au>
To: Patrick Clochesy <patrick@chegg.com>
Cc: Adrian Chadd <adrian@creative.net.au>, nanog@nanog.org
In-Reply-To: <4116134.186351206494157370.JavaMail.root@protozoa>
Errors-To: owner-nanog@merit.edu
On Tue, Mar 25, 2008, Patrick Clochesy wrote:
> Very interesting study I had not seen, and a bummer. That really puts a cramp in my advocation of our CARP+pf load balancers/firewalls/gateways. Than again, what's a PIX box capable of?
Well, you get what you pay for. If you're willing to blow $10k on a
firewall, maybe you'll be willing to blow $10k on a *BSD developer
to work on improving forwarding performance.
It'd only take ten or so people to make donations or sponsor work
of that size for the benefits to appear.
> I also had to switch to OpenBSD as there was a fatal crash with the bridge device in FreeBSD when used with my paticular OpenVPN/CARP/pf combination.
Did you log a bug? :)
> AFAIK pf/forwarding only takes place on one core and wouldn't take advantage of the other 3 cores, correct?
Uhm, its not quite that simple. ithreads on FreeBSD at least will run on
one CPU at a time (unless you're running some hacked up russian-driven
intel gige driver, which runs multiple ithreads for the device to improve
performance under certain circumstances!) and these classes of cards and
busses wouldn't benefit from >1 core contending for one card/bus.
If you're running >1 card then you may find the ithreads run on different
CPUs, each doing lookups and forwarding, but I haven't sat down and looked
at that sort of forwarding performance under FreeBSD. My focus at the moment
is "tcp proxy on a stick" throughput with one interfaces and >1 core doing
userland processing.
Adrian
