Date: Wed, 9 Mar 2005 00:34:13 +0100 (CET) From: Goran Gajic <ggajic@mail.sbb.co.yu> To: =?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?= <lbromirski@mr0vka.eu.org> Cc: freebsd-net@www.freebsd.org Subject: Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd) Message-ID: <Pine.BSF.4.62.0503090016030.92805@mail.sbb.co.yu> In-Reply-To: <422E240B.7010502@mr0vka.eu.org> References: <Pine.BSF.4.62.0503082118370.17320@mail.sbb.co.yu> <422E240B.7010502@mr0vka.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1056511592-1110324853=:92805 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On my NPE-G1 running just IOS 12.3(12a) cpu utilization was something like 70-90% but with IOS 12.3(11)T3 it is 20% since this one has NAT=20 inside CEF and yes using small portions of address for NAT pool will=20 reduce CPU utilization and will improve NAT on 7206. However if you=20 compare prices of PC hardware and Cisco hardware decent PC hardware with= =20 FBSD seems like more acceptable solution to me. I was able to=20 bring down NPE-G1 with running simple ping -l 1000000 throu it and it has died at ~ 80k pps, while FBSD5.3 box was able to route this=20 without any problems. Regards, gg. On Tue, 8 Mar 2005, [UTF-8] =C5~Aukasz Bromirski wrote: > Goran Gajic wrote: > >> Actually I was interested if Dual Opteron with FBSD5.3 >> can compare with Cisco7206 with NPE-G1 running only for NAT > > You'll need good motherboard, NICs, 1-2GB of RAM and quite capable > CPU. Two won't help much, but sometimes the motherboards for two > CPUs provide higher standard (separate buses for PCI, PCI-X slots > instead of regular PCI etc.), so it may be beneficial, but YMMV. > >> purpose of some 7000 hosts (and sadly more then ~80k pps can easly bring= it=20 >> down and no one can comfirm that 7206 with NPE-G1 can actually process 1= M=20 >> pps:). > > Yes, the 7206VXR with NPE-G1 can quite easily do 1Mpps, but the > figures usually published are for routing. FreeBSD will also do > this on properly configured hardware - google should return some > useful usenet posts and discussions. > > 7200 is positioned as a router for ISPs, and they don't often do > NAT - and as such, routing figures quite reliably put it in the > 400-500kpps area (1Mpps full duplex). > > If Your problem lies in large NAT, either segregate the NAT process > in few smaller chunks closer to end-users, by making few groups of > "NAT-routers" that aggregate already NATed sessions on one main > router, that's just routing (7200 will do just fine in that > scenario), or buy some solution, that will do NAT in hardware. > > As for the 7200, if You wish, drop me an e-mail with some more > details (running-config, exact version of IOS, modules loaded) and > I can try to look for possible causes of poor performance. However > please bear in mind, that NAT always requires first packet to be > process/fast switched and some other requirements usually need to > be met. For starters, check if You have CEF configured (`ip cef'), > dropping all the usual Win$shit traffic (to not produce NAT > translations for trashy traffic on the internal, ingress interface > (via ACLs) and preferably control-plane configured - because sometimes > DoS/semi-DoS scenarios arise from the fact, that router itself is > slammered with packets. > --0-1056511592-1110324853=:92805--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.62.0503090016030.92805>