From owner-freebsd-net@FreeBSD.ORG Tue Mar 8 23:34:19 2005 Return-Path: Delivered-To: freebsd-net@www.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DFE616A4CE for ; Tue, 8 Mar 2005 23:34:19 +0000 (GMT) Received: from mail.sbb.co.yu (mail.sbb.co.yu [82.117.194.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6152143D3F for ; Tue, 8 Mar 2005 23:34:18 +0000 (GMT) (envelope-from ggajic@mail.sbb.co.yu) Received: from mail.sbb.co.yu (mail.sbb.co.yu [192.168.1.2] (may be forged)) by mail.sbb.co.yu (8.13.3/8.13.3) with ESMTP id j28NYDCr097858; Wed, 9 Mar 2005 00:34:13 +0100 (CET) Date: Wed, 9 Mar 2005 00:34:13 +0100 (CET) From: Goran Gajic To: =?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?= In-Reply-To: <422E240B.7010502@mr0vka.eu.org> Message-ID: References: <422E240B.7010502@mr0vka.eu.org> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1056511592-1110324853=:92805" X-SBB-MailScanner-Information: Please contact the ISP for more information X-SBB-MailScanner: Found to be clean X-MailScanner-From: ggajic@mail.sbb.co.yu cc: freebsd-net@www.freebsd.org Subject: Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 23:34:19 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1056511592-1110324853=:92805 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On my NPE-G1 running just IOS 12.3(12a) cpu utilization was something like 70-90% but with IOS 12.3(11)T3 it is 20% since this one has NAT=20 inside CEF and yes using small portions of address for NAT pool will=20 reduce CPU utilization and will improve NAT on 7206. However if you=20 compare prices of PC hardware and Cisco hardware decent PC hardware with= =20 FBSD seems like more acceptable solution to me. I was able to=20 bring down NPE-G1 with running simple ping -l 1000000 throu it and it has died at ~ 80k pps, while FBSD5.3 box was able to route this=20 without any problems. Regards, gg. On Tue, 8 Mar 2005, [UTF-8] =C5~Aukasz Bromirski wrote: > Goran Gajic wrote: > >> Actually I was interested if Dual Opteron with FBSD5.3 >> can compare with Cisco7206 with NPE-G1 running only for NAT > > You'll need good motherboard, NICs, 1-2GB of RAM and quite capable > CPU. Two won't help much, but sometimes the motherboards for two > CPUs provide higher standard (separate buses for PCI, PCI-X slots > instead of regular PCI etc.), so it may be beneficial, but YMMV. > >> purpose of some 7000 hosts (and sadly more then ~80k pps can easly bring= it=20 >> down and no one can comfirm that 7206 with NPE-G1 can actually process 1= M=20 >> pps:). > > Yes, the 7206VXR with NPE-G1 can quite easily do 1Mpps, but the > figures usually published are for routing. FreeBSD will also do > this on properly configured hardware - google should return some > useful usenet posts and discussions. > > 7200 is positioned as a router for ISPs, and they don't often do > NAT - and as such, routing figures quite reliably put it in the > 400-500kpps area (1Mpps full duplex). > > If Your problem lies in large NAT, either segregate the NAT process > in few smaller chunks closer to end-users, by making few groups of > "NAT-routers" that aggregate already NATed sessions on one main > router, that's just routing (7200 will do just fine in that > scenario), or buy some solution, that will do NAT in hardware. > > As for the 7200, if You wish, drop me an e-mail with some more > details (running-config, exact version of IOS, modules loaded) and > I can try to look for possible causes of poor performance. However > please bear in mind, that NAT always requires first packet to be > process/fast switched and some other requirements usually need to > be met. For starters, check if You have CEF configured (`ip cef'), > dropping all the usual Win$shit traffic (to not produce NAT > translations for trashy traffic on the internal, ingress interface > (via ACLs) and preferably control-plane configured - because sometimes > DoS/semi-DoS scenarios arise from the fact, that router itself is > slammered with packets. > --0-1056511592-1110324853=:92805--