[103378] in North American Network Operators' Group
Re: 10GE router resource
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Thu Mar 27 02:28:24 2008
Date: Thu, 27 Mar 2008 15:43:40 +0900
From: Adrian Chadd <adrian@creative.net.au>
To: Andrew C Burnette <acb@acb.net>
Cc: nanog@merit.edu
In-Reply-To: <47EB316A.3050106@acb.net>
Errors-To: owner-nanog@merit.edu
On Thu, Mar 27, 2008, Andrew C Burnette wrote:
> Indeed. PCI-X is already an EOL'ed interface, if only cheap PCI-X cards
> were available. Once you add extensive ACL's, there's loads more
> [central] processing to be done than just packet routing (100k choices
> versus 2 to 4 interfaces). System throughput gets slammed rather
> quickly. Linux IPtables grumbles painfully at 100k line ACLs :) Not to
> mention the options of what to do with a packet are very limited.
I agree, and the rest of the discussion is interesting, but the iptables
deployments I've seen which do massive ACLs like this almost certainly end
up having ACLs you can collapse into a small number of set-lookup-and-act
rules.
Those set-lookup-and-act rules are much faster than the linear ACL lookups
which ipfw/iptables/ipf/pf/etc do by default (and all of them support
IP sets in some form or other); I did this trick recently to reduce the CPU
overhead on an old revision 2.8ghz P4 from 99% to <10% when routing 100mbit
of average-pps TCP.
Adrian
