[Ntop-misc] High End QoS

Henderson, Dennis K. Dennis.Henderson at umb.com
Thu Oct 27 18:04:44 CEST 2005 

I would like to know what settings you are using to get that level of
performance.

With PF_RING, snort with healthy production ruleset, conversation,
portscan2 and oracle support, we can only muster around 200 meg before
we start losing packets.


Thanks


Dennis 

> -----Original Message-----
> From: ntop-misc-bounces at listgateway.unipi.it 
> [mailto:ntop-misc-bounces at listgateway.unipi.it] On Behalf Of 
> Brad Doctor
> Sent: Thursday, October 27, 2005 10:55 AM
> To: ntop-misc at listgateway.unipi.it
> Subject: Re: [Ntop-misc] High End QoS
> 
> First, I don't have much experience with QoS - this is to 
> comment on the hardware and bridge.
> 
> For hardware I would stay away from Intel at the moment.  We 
> have two systems presently that are dual Opteron, Dual-core systems:
> 
> Dual Core AMD Opteron(tm) Processor 275
> 2199.995 Mhz
> L2 1024 KB
> 
> NIC: SysKonnect SK-9E22 (dual-port gig, PCI Express)
> 
> Using Ixia to test throughput, the box can L2 bridge 980Mbps 
> all day long and you would never know it was doing it.  
> Adding additional endpoints gets us to 1900Mbps bridging - 
> again, no perceptible load on the system.  Ixia reports 
> average latency of .081 at 980 and .1xx at the 1900 level.  
> MTU doesn't matter for the bridging part -- but MTU of 9000 
> for PF_RING is required for the below statement..
> 
> Using Snort, PF_RING can monitor 1600-1800Mbps, with no 
> packet loss, for the record :) And I have numbers to prove it!
> 
> As for bridge stability and 2.6 kernel - my company has been 
> shipping this solution since about this time last year with 
> no problems at all.  Deployed units number very high and no 
> field issues whatsoever.
> 
> -brad
> 
> >   Hi all,
> > 
> >   I write to this list as its full of networwing / QoS experts.
> > 
> >   A client asked if it was possible to replace a very expensive QoS 
> > appliance with a Linux box to make QoS and NetFlow on a big network.
> > Sustained traffic is around 400Mbps and they need around 
> 1000 QoS classes.
> > 
> >   Some thoughts on this:
> > 
> >   1) Of course we will purchase the fastest box we can find around, 
> > dual xeon and such.
> > 
> >   2) As the system runs as a bridge we are kind of scared 
> to use 2.6 
> > kernel as it seems quite unstable in that mode.
> > 
> >   3) Instead of using standard QoS classification (linear) we were 
> > thinking about using clasiffy target in the firewall and 
> use some more 
> > complex tree. That way, we still have all those classes but are not 
> > read linearly but some logic is applied in the tree.
> > 
> >   4) As this box ideally would include a netflow probe 
> (nprobe 4), we 
> > were thinking about using pf_ring kernel patch. Any 
> experience in the 
> > list using this patch with a system that is both a probe 
> and QoS? Of 
> > course, we would like to purchase ncap for this :)
> > 
> >   5) We were thinking about using hipac, but we dont know if it 
> > supports clasiffy target, do you know if it does?
> > 
> >   Any ideas will be REALLY appreciated.
> > 
> >   Thanks in advance. Regards.
> > 
> > --
> > Jaime Nebrera - jnebrera at eneotecnologia.com Consultor TI - ENEO 
> > Tecnologia SL
> > Telf.- 619 04 55 18
> > 
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc at listgateway.unipi.it
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> > 
> 
> --
> Brad Doctor, CISSP
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>

More information about the Ntop-misc mailing list