Date: Tue, 23 Sep 2014 12:36:28 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Adrian Chadd <adrian@freebsd.org>, Elof Ofel <elofu17@hotmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: How do I balance bandwidth over several virtual NICs? Message-ID: <5421310C.5010406@FreeBSD.org> In-Reply-To: <CAJ-Vmo=NGGkOkPWQKZ=3gA3vYYyM2kcjd3m85ymdJY3q4ixxLw@mail.gmail.com> References: <DUB125-W13FDC584F5DF9881CF5FDEBCB30@phx.gbl> <CA%2BP_MZGA_uz_H_QsB%2BdgXEgbXNCjv7w-OToKby=ww%2BvKgnU4_Q@mail.gmail.com> <DUB125-W851F972702452D9809C8E5BCB30@phx.gbl> <CAJ-Vmo=NGGkOkPWQKZ=3gA3vYYyM2kcjd3m85ymdJY3q4ixxLw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22.09.2014 23:46, Adrian Chadd wrote: > Hi, > > Yes. > > * grab an ixgbe NIC and the -HEAD driver; (or cxgbe - I haven't gone > and written RSS programming code for that just yet); > * patch it to use a symmetric RSS key; > * configure up N queues; > * run an instance of snort on each TX/RX ring from the NIC. Oh, wow. I have a low priority task to do that. Nice to see this in stock fbsd! > > The last step requires that you have snort use netmap rather than just > straight bpf - or maybe somehow there's a way to glue bpf into a > single netmap ring. I've wrote snort netmap DAG once, but it does not play well w/o symmetric rss. I've see if I can share it. I > > I haven't wrapped all of this up and thrown it into FreeBSD-HEAD yet, > but i know that a symmetric RSS key works fine on 82599 hardware with > a fixed driver. Greate, thanks! > > > -a > > > On 22 September 2014 12:06, Elof Ofel <elofu17@hotmail.com> wrote: >> Hi Nikolay. >> >> Unfortunetly no, that's not a solution. >> mon0 could in theory be a bridge0 with four 10 GE interfaces = 40 Gbps theoretical input that need to be distributed over multiple virtual NICs. Also, I have no control of the mirrored traffic, so it would be hard for me to build and maintain bpf filters that tries to roughly balance the bandwidth load. >> >> Any other suggestions? >> >> /Elof >> >>> Date: Mon, 22 Sep 2014 18:45:28 +0200 >>> Subject: Re: How do I balance bandwidth over several virtual NICs? >>> From: nike_d@cytexbg.com >>> To: elofu17@hotmail.com >>> CC: freebsd-net@freebsd.org >>> >>> On Mon, Sep 22, 2014 at 5:12 PM, Elof Ofel <elofu17@hotmail.com> wrote: >>>> I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored traffic. >>>> I want to split these 800 Mbps into smaller chunks and feed them to a couple of virtual interfaces. >>>> Each virtual interface can then have instance of 'snort' inspecting its traffic. >>>> >>>> Say approximately 200 Mbps per interface = four interfaces. >>>> That way, each of the four snort processes only get 200 Mbps of data to inspect instead of having *one* single snort process (single-threaded) trying to cope with 800 Mbps. >>>> >>>> (the problem I'm trying to solve is utilizing all cpu's. Currently one cpu runs snort at 100% while all the other cpu's idle.) >>>> >>>> >>>> The important thing though is that all packets in the connection need to be diverted to the same virtual NIC. You can't send the SYN to NIC0 and the SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 see the other side of the connection. >>>> The loadbalancing must be based on a hash built from at least the mac-addresses+IP-addresses. >>>> >>>> >>>> So, what I think I'm looking for is a way to configure a lagg0 interface in loadbalance mode, that take all the incoming traffic on mon0 and distribute it over four virtual member NICs. (these four NICs would then probably be configured to run in monitor mode.) >>>> >>>> >>>> Do FreeBSD support what I'm looking for? How do I do it? Where should I look? >>>> >>>> /Elof >>>> >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> Since this is below one Gig, would running separate snort processes on >>> mon0 and using a BPF filter to split traffic work? >>> >>> --Nikolay >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5421310C.5010406>