Hi,
Here's one for the networking gurus on this list :-)
At work we are intending on using a Linux machine running snort as an IDS (much cheaper than the Cisco alternative) with two gigabit nics.
We have been doing some throughput tests, and are not convinced this will work, these tests were without installing snort.
Our test setup is as follows:-
----------- ---------- ----------- - Windows - - Linux - - Windows - - 2003 srv------- ------- 2003 srv- ----------- --------- ----------- 10.128.30.2 eth0 10.128.30.1 10.128.32.2 eth1 10.128.32.1
All machines have gigabit NICS, and are connected via a Foundry gigabit switch. The Linux machine we used was an HP Proliant 3.0 GHz Dual Xeon with twin onboard Broadcom NICs using the tigon driver. We had the linux machine configured as a basic router.The linux machine was running knoppix, booted into textonly mode, with nics manually configured (ie only bash and the kernel running, and no iptables). We were doing the tests using netperf. We had applied the tweaks to the NICs from this site
http://www.enterpriseitplanet.com/networking/features/article.php/3497796
If we put the two windows machines onto the same subnet, and using the "Network Utilisation" graph in Task Manger showed we were running at 85-90% util. When we had the linux machine acting as a router between the two machines, this dropped to 35% util. Admittedly this probably isn't the best method.
Using netperf between the windows and linux machine, again gave 85-90% util. This was with both windows machines sending data to both nics of the linux machine at the same time.
We cant understand how the throughput can more than half, when sending between the two windows machines via the linux machine. This system is going to go on a very busy network, so speed is essential.
We had tried the above test with a DELL single processor Xeon with onboard Intel and PCI Realtek gig-nics, and got very similar results. All tests were done with Knoppix 3.9 (2.6.11 kernel). On the production system we'll probably be using Redhat Enterprise.
Anyone got any ideas? Are we missing something in the config?
Many Thanks
Chris