ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd)

Goran Gajic ggajic at mail.sbb.co.yu
Tue Mar 8 15:34:19 PST 2005 


On my NPE-G1 running just IOS 12.3(12a) cpu utilization was something
like 70-90% but with IOS 12.3(11)T3 it is 20% since this one has NAT 
inside CEF and yes using small portions of address for NAT pool will 
reduce CPU utilization and will improve NAT on 7206. However if you 
compare prices of PC hardware and Cisco  hardware decent PC hardware with 
FBSD seems like more acceptable solution to  me.  I was able to 
bring down NPE-G1 with running simple ping -l 1000000 throu it and it
has died at ~ 80k pps, while FBSD5.3 box was able to route this 
without any problems.

Regards,
gg.


On Tue, 8 Mar 2005, [UTF-8] Å~Aukasz Bromirski wrote:

> Goran Gajic wrote:
>
>> Actually I was interested if Dual Opteron with FBSD5.3
>> can compare with Cisco7206 with NPE-G1 running only for NAT
>
> You'll need good motherboard, NICs, 1-2GB of RAM and quite capable
> CPU. Two won't help much, but sometimes the motherboards for two
> CPUs provide higher standard (separate buses for PCI, PCI-X slots
> instead of regular PCI etc.), so it may be beneficial, but YMMV.
>
>> purpose of some 7000 hosts (and sadly more then ~80k pps can easly bring it 
>> down and no one can comfirm that 7206 with NPE-G1 can actually process 1M 
>> pps:).
>
> Yes, the 7206VXR with NPE-G1 can quite easily do 1Mpps, but the
> figures usually published are for routing. FreeBSD will also do
> this on properly configured hardware - google should return some
> useful usenet posts and discussions.
>
> 7200 is positioned as a router for ISPs, and they don't often do
> NAT - and as such, routing figures quite reliably put it in the
> 400-500kpps area (1Mpps full duplex).
>
> If Your problem lies in large NAT, either segregate the NAT process
> in few smaller chunks closer to end-users, by making few groups of
> "NAT-routers" that aggregate already NATed sessions on one main
> router, that's just routing (7200 will do just fine in that
> scenario), or buy some solution, that will do NAT in hardware.
>
> As for the 7200, if You wish, drop me an e-mail with some more
> details (running-config, exact version of IOS, modules loaded) and
> I can try to look for possible causes of poor performance. However
> please bear in mind, that NAT always requires first packet to be
> process/fast switched and some other requirements usually need to
> be met. For starters, check if You have CEF configured (`ip cef'),
> dropping all the usual Win$shit traffic (to not produce NAT
> translations for trashy traffic on the internal, ingress interface
> (via ACLs) and preferably control-plane configured - because sometimes
> DoS/semi-DoS scenarios arise from the fact, that router itself is
> slammered with packets.
>

More information about the freebsd-net mailing list