Date: Mon, 01 Jun 1998 23:08:47 -0600 From: Wes Peters <wes@softweyr.com> To: freebsd-net@FreeBSD.ORG Subject: Re: router performance Message-ID: <357388DF.981DDCBF@softweyr.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------25D0B2508EA9A91761F23C4F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Oops, forgot the -net mailing list:
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
--------------25D0B2508EA9A91761F23C4F
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <357388A6.6E4C0B39@softweyr.com>
Date: Mon, 01 Jun 1998 23:07:50 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr llc
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: Tim Tsai <tim@futuresouth.com>
Subject: Re: router performance
References: <19980531230640.52576@futuresouth.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Tim Tsai wrote:
>
> Can I expect a FreeBSD-based router (say, Pentium Pro 180 with 64-128megs
> of RAM) to do the following reasonably well?
>
> 1) Route 2-4 T1's worth of traffic (judging from the recent fastforward
> thread I don't think this is a problem)
> 2) run BGP
> 3) do *extensive* inbound packet filtering (anti-spoofing, no
> broadcasts, etc.).
> 4) talk to the rest of the LAN through an ethernet interface
>
> Our Cisco 3640 with a Mips R4700/100Mhz is choking routinely with two
> T1's during periods of DoS attacks. It's quite capable of routing the
> traffic but the packet filtering is eating up all the CPU. Throw in ip
> accounting (which is only needed *during* an attack) and you can forget
> about any response.
One of the nice benefits of using FreeBSD for such a system is the
scalability. If one single FreeBSD system doesn't cut it, you could
use 5 of them. Put one on each T1 doing packet filtering/firewalling,
routing to ethernet. Then use another system to route between the
4 "external" ethernets and your internet network.
Actually, you should be able to do all of the above on a single Pentium-
class system of 200 Mhz or so *when NOT under attack.* If you're looking
at new hardware, a K6/233 (or so) should fit the bill nicely.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
--------------25D0B2508EA9A91761F23C4F--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?357388DF.981DDCBF>