Advice on TC/Iptables Configurations

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Everyone,

First post to the list - hope I have hit the right list for all of the
questions below!

I have several queries over the "front end" infrastructure of a vast data
center infrastructure we are planning, connecting 20ish services to the BGP
Routed infrastructure being provided by our datacenter provider. There are
around 10-30 thousand end users of these services, and I have 100M total
bandwidth across the two connections (I can weight the traffic down them as
I choose).

The setup looks a little like this:

  (Dual I/Net Connections)
  ( on BGP Routed Network)
           |    |
           |    |
   --------------------
   |                  |
 -----------      -----------  
 |Fw/Shpr 1|      |Fw/Shpr 2|
 -----------      -----------
    |                 |
    -------------------
              |
     --------------------
     |Core Switches, etc|
     --------------------
      |      |         |
    [Lots of Connections]
    [ to lots of servers]

I am essentially provided with two RJ45 Plugs on the end of two Cat5 Gig
Cables, and around 50 IP Addresses for all of my services. In the diagram
above, the two connections are represented at the top, and the Core
infrastructure and services at the bottom. I need the ability to traffic
shape, firewall, and have redundancy; the plan being to do this on the 2
boxes marked Fw/Spr 1 and 2 respectively, which will be running Linux (with
an Internal and External Gig interface each).

So, the questions:

1) Is it best to NAT in this scenario, or bridge and use the public IP's
internally, or 'route' them (by having the BGP Routers point the relevant
routes at FW's), in terms of performance?
2) Is it best to run an active/passive or active/active scenario with the
front end firewalls (bearing in mind I could use something like Linux HA)?
3) Would it be worth, performance wise, splitting out the firewall function
from the tc function (ie. Add a further two boxes between the core and front
end firewalls for traffic shaping)? Is this going to give me a huge
performance gain?
4) In your opinion, will two run-of-the mill average rack servers be able to
keep up with around 2000-3000 connections and about 100-200M throughput,
whilst using IpTables and Traffic Control (assuming alot of iptables NAT,
around 100 rules, and a few htb configs)?
5) If I start sending outbound traffic to multiple default gateways, will I
have a huge performance hit if I use the 'random packet distribution'
function of iptables? Whats the best way to distribute traffic to two
default gateways?
6) Whats the best way, if I were to use an active/active scenario on the
firewalls, to handle outbound traffic (bearing in mind I would need to sync
the bandwidth usage for the shapers somehow)?
7) Is there any easy way to use some sort of 'virtual ip' as a default
gateway, for the internal servers, to allow the outbound packets to be
distributed between the two firewalls in a load-balanced manner?

8) Lastly - Am I crazy to do this (bearing in mind the throughput and no. of
end users) with Linux rather than dedicated hardware firewalls and packet
shapers?!

Thanks for any replies in advance - apologies for the long message!

Kind Regards

Dan


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux