Gerry Creager N5JXS schrieb: > > The answers are not necessarily pretty. > > I've done a similar task with a Juniper M5 router. It will handle up to > about 180,000 rules at wire speed. But it is expensive. > > If your switches were a little newer, we could use 802.1x to enable the > switch-use capability flag (:-) and solve the problem. you know, 10k hosts are never attached to a network with homogenous new network devices :-( > > Instead of policing at a single edge point, you might consider policing > at dormatory and building edges, where the load is smaller and you can > use masking and diminsh the ruleset some more. but the management is very difficult, see above > > With a sufficiently fast box, or series of boxes, doing specific tasks, > you should be able to do this. Folks like Juniper achieve it by being > able to classify and mark in ASIC without having to go to the processor. Netfilter and iproute2/tc is very good but I miss just a fast matching module for a "pool" of ip addresses and the missing tc-cref or better documented tc examples, especially dealing with general ingress policing. Best regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
