[163133] in North American Network Operators' Group
RE: High throughput bgp links using gentoo + stipped kernel
daemon@ATHENA.MIT.EDU (MailPlus| David Hofstee)
Tue May 21 04:24:29 2013
From: MailPlus| David Hofstee <david@mailplus.nl>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 21 May 2013 10:24:30 +0200
In-Reply-To: <20130519213159.GY26847@hezmatt.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is what we do too: Separate firewalling and routing. We use Vyatta for=
both and it works. Bye,
David =20
-----Oorspronkelijk bericht-----
Van: Matt Palmer [mailto:mpalmer@hezmatt.org]=20
Verzonden: zondag 19 mei 2013 23:32
Aan: nanog@nanog.org
Onderwerp: Re: High throughput bgp links using gentoo + stipped kernel
On Sun, May 19, 2013 at 11:48:17AM -0400, Nick Khamis wrote:
> We do use a statefull iptables on our router, some forward rules...
> This is known to be on of our issues, not sure if having a separate=20
> iptables box would be the best and only solution for this?
I don't know about "only", but it'd have to come close to "best". iptables=
(and stateful firewalling in general) is a pretty significant CPU and memo=
ry sink. Definitely get rid of any stateful rules, preferably *all* the ru=
les, and apply them at a separate location. We've always had BGP routing s=
eparated from firewalling, but we're currently migrating from one-giant-cor=
e-firewall to lots-of-little-firewalls because our firewalls are starting t=
o cry a little. Nice thing is that horizontally scaling firewalls is easy =
-- just whack 'em on each subnet instead of running everything together. C=
ore routing is a little harder to scale out (although as has been described=
already, by no means impossible). The important thing is to remove *anyth=
ing* from your core routing boxes that doesn't *absolutely* have to be ther=
e -- and stateful firewall rules are
*extremely* high on that list.
- Matt
--
When the revolution comes, they won't be able to FIND the wall.
-- Brian Kantor, in the Monastery
