[163099] in North American Network Operators' Group
Re: High throughput bgp links using gentoo + stipped kernel
daemon@ATHENA.MIT.EDU (Matt Palmer)
Sun May 19 17:59:52 2013
Date: Mon, 20 May 2013 07:31:59 +1000
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAGWRaZaMup2nx-K3Sc6d3FZNHB7xSTPONgOHEggLJYVtDkvEPg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, May 19, 2013 at 11:48:17AM -0400, Nick Khamis wrote:
> We do use a statefull iptables on our router, some forward rules...
> This is known to be on of our issues, not sure if having a separate
> iptables box would be the best and only solution for this?
I don't know about "only", but it'd have to come close to "best". iptables
(and stateful firewalling in general) is a pretty significant CPU and memory
sink. Definitely get rid of any stateful rules, preferably *all* the rules,
and apply them at a separate location. We've always had BGP routing
separated from firewalling, but we're currently migrating from
one-giant-core-firewall to lots-of-little-firewalls because our firewalls
are starting to cry a little. Nice thing is that horizontally scaling
firewalls is easy -- just whack 'em on each subnet instead of running
everything together. Core routing is a little harder to scale out
(although as has been described already, by no means impossible). The
important thing is to remove *anything* from your core routing boxes that
doesn't *absolutely* have to be there -- and stateful firewall rules are
*extremely* high on that list.
- Matt
--
When the revolution comes, they won't be able to FIND the wall.
-- Brian Kantor, in the Monastery
