cpu needed to NAT 45mbs

I do the networking in my house, and hang out with guys that do networking in small offices that have a few T1s. Now I am talking to people about a DS3 connection for 500 laptops*, and I am bing told "a p4 linux box with 2 nics doing NAT will not be able to handle the load." I am not really qualified to say one way or the other. I bet someone here is.

* for wifi, going to be using this system:
http://wavonline.com/vendorpages/extricom.htm
March 13-17 (testing a week or 2 before) for PyCon in Chicago.
If anyone wants to see it in action, etc. drop me a line.

Carl K

From my experience, a fast P4 linux box with 2 good NICs can NAT 45Mbps easily. I am NAT/PATing >4,000 desktops with extensive access control lists and no speed issues. This isn't over a 45Mb T3--this is over 100 Mb Ethernet.

--Patrick Darden
--ARMC, Internetworking Manager

Darden, Patrick S. wrote:

From my experience, a fast P4 linux box with 2 good NICs can NAT
45Mbps easily. I am NAT/PATing >4,000 desktops with extensive access
control lists and no speed issues. This isn't over a 45Mb T3--this
is over 100 Mb Ethernet.

NAT processing requirement thresholds are all about *flows* per second, not *bytes* per second. Once you have a cached flow, it's trivial. The overhead of statefully tracking flows, setup, teardown, timeouts, housecleaning, etc., are the limiting factors.

If you want to stress-test it, you should benchmark it with SQL Slammer

Jeff

how about just looking at what a production MSSP would roll out for a
similar situation.. a nokia ip530-class box (I think it's a ip580
these days) with Checkpoint as the 'firewall'... Certainly (poke fbsd
fanboys) a fbsd box of similar config can perform as well, yes?

I recall the ip530 being an intel P3-ish system
(http://www.google.com/search?hl=en&q=nokia+ip530&btnG=Google+Search)
I think we selected these at a past job because it could handle 2 quad
FE cards and a DS3 card...

From my experience, a fast P4 linux box with 2 good NICs can NAT
45Mbps easily. I am NAT/PATing >4,000 desktops with extensive
access control lists and no speed issues. This isn't over a 45Mb
T3--this is over 100 Mb Ethernet.

--Patrick Darden
--ARMC, Internetworking Manager

  A second CPU or core will help tremendously. We used to use single-CPU
boxes for this and we noticed that traffic sometimes stalls when the machine
has to do some task other than NATting, such as expiring idle flows. Having
a second CPU or core will help keep latency much more uniform.

  We have a few dual 3.2Ghz Xeon boxes (not the ones based on Core, the older
ones) that NAT/FW across two GE interfaces. They do quite well up to about
300Mb/s, then we start to see issues. We believe the issues are due to
overloading the NB-SB link. A more modern mobo probably wouldn't have this
problem.

  DS

  A second CPU or core will help tremendously. We used to use single-CPU
boxes for this and we noticed that traffic sometimes stalls when the machine
has to do some task other than NATting, such as expiring idle flows. Having
a second CPU or core will help keep latency much more uniform.

  We have a few dual 3.2Ghz Xeon boxes (not the ones based on Core, the older
ones) that NAT/FW across two GE interfaces. They do quite well up to about
300Mb/s, then we start to see issues. We believe the issues are due to
overloading the NB-SB link. A more modern mobo probably wouldn't have this
problem.

Since we are talking about PC Routers... 300Mb/s is a limitation we've seen before... especially related to Interrupts overwhelming the system. Modern ethernet cards (non-interrupt based) and a modern OS with support for all of their offloading and zero-copy functions will improve this greatly.

Current FreeBSD is signficantly faster than current Linux implementations for this kind of work.

But (as I told the OP privately) 45mb/s is a joke and doesn't really need anything more than a 400mhz P-II with two Intel EtherExpress cards and 1GB of RAM. Even for 4,000 downstream connections. A few $200-$300 L3 switches can do this just as well.

Deepak Jain
AiNET

From MAILER-DAEMON Fri Nov 9 03:35:15 2007
Return-Path: <>
X-Original-To: hyper_nanog@trapdoor.merit.edu
Delivered-To: hyper_nanog@trapdoor.merit.edu
Received: from localhost (localhost [127.0.0.1])
  by trapdoor.merit.edu (Postfix) with ESMTP id 9E8744DF33
  for <hyper_nanog@trapdoor.merit.edu>; Fri, 9 Nov 2007 03:35:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at merit.edu
Received: from trapdoor.merit.edu ([127.0.0.1])
  by localhost (trapdoor.merit.edu [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id Vx0Rjl1V7RpU for <hyper_nanog@trapdoor.merit.edu>;
  Fri, 9 Nov 2007 03:35:01 -0500 (EST)
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
  by trapdoor.merit.edu (Postfix) with ESMTP id A701A4DF40
  for <hyper_nanog@trapdoor.merit.edu>; Fri, 9 Nov 2007 03:34:04 -0500 (EST)
Received: by segue.merit.edu (Postfix)
  id 107C558282; Fri, 9 Nov 2007 03:34:04 -0500 (EST)
Delivered-To: hyper_nanog@segue.merit.edu
Received: from mozart.merit.edu (mozart.merit.edu [198.108.95.9])
  by segue.merit.edu (Postfix) with ESMTP id 7B6DC58280
  for <hyper_nanog@segue.merit.edu>; Fri, 9 Nov 2007 03:34:02 -0500 (EST)
Received: from bach.merit.edu (bach.merit.edu [198.108.95.7])
  by mozart.merit.edu (MOS 3.8.2-GA)
  with ESMTP id ATW27066;
  Fri, 9 Nov 2007 03:34:01 -0500 (EST)
Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26])
  by bach.merit.edu (MOS 3.8.2-GA)
  with ESMTP id AFM13709;
  Fri, 9 Nov 2007 03:34:00 -0500 (EST)
Received: by trapdoor.merit.edu (Postfix)
  id C8DFA4DF38; Fri, 9 Nov 2007 03:27:34 -0500 (EST)
Delivered-To: nanog-outgoing@trapdoor.merit.edu
X-Virus-Scanned: amavisd-new at merit.edu
Received: from trapdoor.merit.edu ([127.0.0.1])
  by localhost (trapdoor.merit.edu [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id KK-1GsQ24Kr1 for <nanog-outgoing@trapdoor.merit.edu>;
  Fri, 9 Nov 2007 03:27:32 -0500 (EST)
Received: from mozart.merit.edu (mozart.merit.edu [198.108.95.9])
  by trapdoor.merit.edu (Postfix) with ESMTP id C3CA84DF29
  for <nanog-outgoing@trapdoor.merit.edu>; Fri, 9 Nov 2007 03:27:02 -0500 (EST)
Message-Id: <200711090827.ATW24982@mozart.merit.edu>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
  boundary="ATW24982.1194596822/mozart.merit.edu"
Auto-Submitted: auto-generated (failure)
X-Junkmail-Status: score=10/50, host=bach.merit.edu
X-Junkmail-SD-Raw: score=unknown,
  refid=str=0001.0A090201.47341A2D.0136:SCFONLINE515760,ss=1,fgs=0,
  ip=198.108.1.26,
  so=2006-09-22 03:48:54,
  dmn=5.4.3/2007-10-18

This is a MIME-encapsulated message

--ATW24982.1194596822/mozart.merit.edu

On this date, there were delivery failures where the associated
deliver status notification messages were suppressed.

--- The following addresses had suppressed delivery status notifications ---
nanog@trapdoor.merit.edu

   ----- Transcript of session is unavailable -----

--ATW24982.1194596822/mozart.merit.edu
Content-Type: message/delivery-status

Reporting-MTA: dns; mozart.merit.edu
Arrival-Date: Thu, 8 Nov 2007 00:00:00 -0500 (EST)

Final-Recipient: RFC822; nanog@trapdoor.merit.edu
Action: failed
Status: 5.2.0
Diagnostic-Code: SMTP; 550 5.7.1 message content rejected
Last-Attempt-Date: Thu, 8 Nov 2007 23:59:59 -0500 (EST)
X-Suppressed-Delivery-Status-Count: 25

--ATW24982.1194596822/mozart.merit.edu
Content-Type: text/plain

No information is available on specific messages.

--ATW24982.1194596822/mozart.merit.edu--

I'm able to get 45Mb/s through a P3-800 with a four-port NIC running NAT and
simple content filtering with SmoothWall Advanced Firewall 2 easily. Have a
box doing that right now.

Speaking of all that, does someone have a "conference wireless' bcp
handy? The sort that starts off with "dont deploy $50 unbranded
taiwanese / linksys etc routers that fall over and die at more than 5
associations, place them so you dont get RF interference all over the
place etc" before going on to more faqs like what to do so worms dont
run riot?

Comes in handy for that, as well as for public wifi access points.

srs

Everyone I speak to says something along the lines of

"Why would I put that sort of stuff up? I want people to pay me for
that kind of clue."

There are slides covering basic stuff and observations out there.

(I'm going through a wireless deployment at an ISP conference next week;
I'll draft up some notes on the nanog cluepon site.)

Adrian

The important thing to remember is that when you exceed 20 to 30
wireless users in a small area, your now dealing with an 'Enterprise'
deployment. Lots of whitepapers exist on this subject. Design your
layer 2 stuff correctly, and use L3 gear that is up to the task. If
you're trying to use Linksys wireless routers to handle 400 users, you
may as well try to invade a foreign country with lawn darts and a squirt
gun.

Chuck

Adrian Chadd wrote:

Speaking of all that, does someone have a "conference wireless' bcp
handy? The sort that starts off with "dont deploy $50 unbranded
taiwanese / linksys etc routers that fall over and die at more than 5
associations, place them so you dont get RF interference all over the
place etc" before going on to more faqs like what to do so worms dont
run riot?

Comes in handy for that, as well as for public wifi access points.

Everyone I speak to says something along the lines of

"Why would I put that sort of stuff up? I want people to pay me for
that kind of clue."

I did a presentation a couple of years ago at nanog on high-density
conference style wireless deployments. It's in the proceedings from
Scottsdale. Fundamentally the game hasn't changed that much since then:

Newer hardware is a bit more robust.

Centralized AP controllers are beguiling but have to be deployed with
high availability in mind because putting all your eggs in a smaller
number of baskets carriers some risk...

If you can, deploy A to draw off some users from 2.4ghz.

Design to keep the number of users per radio at 50 or less in the worst
case.

Instrument everything...

I would have disagree with your point on centralized AP controllers --
almost all the vendors have some form of high availability, and Trapeze's
offering, new (and may not yet be G.A) purports to be almost entirely
seamless in its load sharing and failover support.

Now that dual-band radios in laptops are becoming more prevalent, it's
possible to get 30 to 50% of your user population using 802.11a.

Frank

Frank Bulk wrote:

I would have disagree with your point on centralized AP controllers

you can do so when you have deployed successfully in meeting rooms of
2000 people. joel has.

randy

Frank Bulk wrote:

I would have disagree with your point on centralized AP controllers --
almost all the vendors have some form of high availability, and Trapeze's
offering, new (and may not yet be G.A) purports to be almost entirely
seamless in its load sharing and failover support.

I have a few scars to show from deploying centralized ap controllers,
from several vendors including the one that you mention above. Hence my
observation that they must be deployed in a HA setup in that sort of
environment...

We you lose a fat-ap, unless cascading failure ensues you just lost one
ap... When your ap-controller with 80 radio's attached goes boom, you
are dead. So, as I said if you're going to use a central ap controller
for an environment like this you need to avail yourself of it's HA features.

Thank you for all the advice - it was nice to see 20 replies that all basically agreed (and with me too.) If only the 6 people involved in this project were such.

On Wifi for 1000:

I have tried to make sure everyone involved in this PyCon Wifi project has read http://www.nanog.org/mtg-0302/ppt/joel.pdf - too bad some have read it and don't get it. I think it will be OK, because someone else wrote up the plan, which is basically to use http://wavonline.com/vendorpages/extricom.htm

If anyone would like to see it in action, I am sure something can be arranged. (you are welcome to come look at it, but I would think would want to actually peek under the hood and see some stuff in real time, etc. ) March 13-16 in Chicago.

Carl K

Joel Jaeggli wrote:

If you're going with Extricom you don't need to worry about channel planning
beyond adding more "channel blankets".

Frank

frnkblk@iname.com (Frank Bulk) wrote:

If you're going with Extricom you don't need to worry about channel planning
beyond adding more "channel blankets".

Is that based on marketing, theory (based on the whitepapers and patent
descriptions) or practical experience?

Elmar.

Elmar:

Marketing and theory -- I haven't had a chance to test it myself.

BTW, I'm not regurgitating Extricom's marketing rhetoric when I say you
don't need to worry about channel planning -- their product is designed with
that specifically in mind. The technical benefits and caveats of this
single-channel architecture, and the possible concerns that a network
planner might have around the requirement to have L1 connectivity from
Extricom's APs to their switch, are better discussed in another forum.

Frank

* frnkblk@iname.com (Frank Bulk) [Tue 13 Nov 2007, 14:24 CET]:

If you're going with Extricom you don't need to worry about channel planning beyond adding more "channel blankets".

I understand Foundry's wireless products do the same thing. Seems to work ok but have not heard about larger test cases than a hundred or so clients.

* carl@personnelware.com (Carl Karsten) [Tue 13 Nov 2007, 05:56 CET]:

On Wifi for 1000:

[..]

In the context of that, you may wish to peruse the proceedings of the last few CCC Congresses in Berlin, which had pretty much working wireless - even with thousands of attendees:

(They're still looking for a sponsor of wireless equipment for this year's edition, by the way)

Regards,

  -- Niels.

Foundry OEMs from Meru, which also uses a single-channel approach. It does
not have an L1 requirement.

Frank