From owner-freebsd-questions  Wed Oct  9  4:46:19 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16DE837B401
	for <questions@freebsd.org>; Wed,  9 Oct 2002 04:46:18 -0700 (PDT)
Received: from vision.tigerteam.net (vision.tigerteam.net [207.179.211.98])
	by mx1.FreeBSD.org (Postfix) with SMTP id 75FFB43E3B
	for <questions@freebsd.org>; Wed,  9 Oct 2002 04:46:17 -0700 (PDT)
	(envelope-from andy@tigerteam.net)
Received: (qmail 32477 invoked for bounce); 9 Oct 2002 12:41:35 -0000
Received: from unknown (HELO vision.tigerteam.net) (207.179.211.98)
  by vision.tigerteam.net with SMTP; 9 Oct 2002 12:41:35 -0000
Date: Wed, 9 Oct 2002 07:41:35 -0500 (CDT)
From: Andy Walden <andy@tigerteam.net>
To: Christopher Smith <csmith@its.uq.edu.au>
Cc: questions@freebsd.org
Subject: Re: High interrupt load on firewalls
In-Reply-To: <B9C9E292.30E56%csmith@its.uq.edu.au>
Message-ID: <Pine.LNX.4.44.0210090737270.31059-100000@vision.tigerteam.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


On Wed, 9 Oct 2002, Christopher Smith wrote:

> We have two firewalls sitting on gigabit links.  Each has 2 Netgear GA620
> (ti driver) fibre cards with about 7 vlans spread across them.  Both these
> machines run at *very* high interrupt loads (95 - 100% during business hours
> (mostly 100%), 80 - 90 % during off hours).  They are 1GHz P3 machines (Dell
> 1550s) with 256MB of RAM.  They're actually dual machines, but enabling the
> second CPU doesn't help in terms of load, it just halves the numbers top
> reports.

> What hardware are other people using to firewall high-volume gigabit
> links ?

Sometime you need to get the right tool for the job. When the CPU is
processing every packet, the CPU will always be a bottleneck. To solve
this problem people starting putting the logic in hardware and creating
ASICs, which are only limited by the speed of the wire. I believe
Netscreen puts their firewall functionalty in ASICs and supports Gig
interfaces.

andy

--
PGP Key Available at http://www.tigerteam.net/andy/pgp


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message