Re: [LARTC] Q: best solution to stop traffic to huge amount of unregisteredhosts

* Re: [LARTC] Q: best solution to stop traffic to huge amount of  unregisteredhosts
@ 2002-08-23  0:02 Gerry Creager N5JXS
  2002-08-25 18:44 ` Pedro Larroy
  0 siblings, 1 reply; 2+ messages in thread
From: Gerry Creager N5JXS @ 2002-08-23  0:02 UTC (permalink / raw)
  To: lartc

Karl Gaissmaier wrote:
> Gerry Creager N5JXS schrieb:
> 
>>The answers are not necessarily pretty.
>>
>>I've done a similar task with a Juniper M5 router.  It will handle up to
>>about 180,000 rules at wire speed.  But it is expensive.
>>
>>If your switches were a little newer, we could use 802.1x to enable the
>>switch-use capability flag (:-) and solve the problem.
> 
> 
> you know, 10k hosts are never attached to a network with homogenous
> new network devices :-(

Unfortunately, I do.  We have 50k hosts, more or less, on 2 class B 
address spaces.  We have about 200 buildings, and I'm not sure how many 
wiring closet switches.  And worse, yet, how many wiring closet hubs!

Our (switched) dorm hosts are about 10k.

So, I understand the issues.  The comment about newer gear, and 802.1x, 
however, stands.  This will provide some capability to handle registered 
hosts in the future, perhaps... but I remain skeptical.

>>Instead of policing at a single edge point, you might consider policing
>>at dormatory and building edges, where the load is smaller and you can
>>use masking and diminsh the ruleset some more.
> 
> 
> but the management is very difficult, see above

Correct, but you have several management issues.  One is unnecessary 
delays while filtering, marking and queuing.  Another is device 
configuration.  I've found little existing useful software for real-life 
multiple device (and heterogeneous device) management.  And none I'm 
willing to pay for.  I _do_ have a team of graduate students who are 
working on a heterogeneous-environment configuration tool, but it's not 
nearly ready for prime time.

>>With a sufficiently fast box, or series of boxes, doing specific tasks,
>>you should be able to do this.  Folks like Juniper achieve it by being
>>able to classify and mark in ASIC without having to go to the processor.
> 
> 
> Netfilter and iproute2/tc is very good but I miss just a fast
> matching module for a "pool" of ip addresses and the missing tc-cref
> or better documented tc examples, especially dealing with general
> ingress policing.

We have experimented with A Juniper M5, as a shaping and filtering box 
for specific applications.  It worked well in the tests, but is an 
expensive toy for this.  You might consider a Sitara box for some off 
your work.

I prefer the Linux approach, too, but there are times where scalability, 
due to the state of the art (and certainly not for want of advancement 
in the state of the art!) means a commercial solution.  What HAS 
happened, though, is that my expectations for the commercial products 
are now higher than they were... and the salesmen are somewhat worried.

Regards,
Gerry

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread