[plug] Packets per second
Leon Brooks
leonb at bounce.networx.net.au
Tue Dec 7 11:00:23 WST 1999
"Shackleton, Kevin" wrote:
> I have just read up an EdWA internal document about setting up a router at a
> local school. This is an NT machine that is supposed to keep the admin and
> students (called the "curriculum" LAN) apart. Being an NT router, it only
> does simple filtering based on TCP and UDP ports.
> The document says a preferred option is to use a Cisco 2-port router, which
> is faster and doesn't load up the NT machine, which is also the admin
> server. Their best option is to use a firewall router but they say this is
> much too expensive for typical schools.
> It all sounds like they don't understand the detail in their options, so
> they go for the simple solution or a proprietary solution.
> Does anyone in this sort of working area know what sort of
> packets-per-second are processed by an NT router, a Cisco router and (say) a
> P400 running Linux and ipchains?
The PPS for NT depends on whether it's in Microsoft's proprietary
"unbreakable security mode" (crashed) or not. (-:
You'd have to have a pretty tangled set of IPChains rules and/or a
server that was otherwise very busy to do less than completely bog a
100Mb ethernet with a P400 under Linux. I have had transfer rates in
excess of 8 megabytes (not bits) per second sustained *through*FTP*
between Linux boxes on a 100Mb network, one end of which went through
about 20 IPChains rules each way (and was running Apache, Squid, BIND
etc at the time).
If you are allowed to use Linux as the router, I strongly recommend
putting the students on a separate IPMasq'ed subnet from the staff, and
if it is practical, add more cards to the Linux box and divide up the
students between as many physically and logically separate subnets as
you can. You can run the Linux box headless and have one card per PCI
slot. I recommend the Tulip compatible falvours, *avoid* cheapies like
the RealTek 8139 for potentially performance-critical applications like
this.
Students have *lots* of time on their hands. Run everything chrooted,
throw away telnet and install OpenSSH, make free use of chattr +i and
restrictive mounts (ro, nosuid, noexec, nodev), switch off any service
not actually necessary.
More information about the plug
mailing list