Firewall Wizards mailing list archives

Re: Traffic Management

From: "Firewall Team" <firewall () lightspeedsystems com>
Date: Thu, 15 Feb 2001 18:57:42 -0800


Upgrading to cascading gigabit fabrics is great for the interior of your
network.  More bandwidth is always better right?  However, that won't solve
"congestion of our internet pipe" problems.  Getting the data to the gateway
isn't the problem here.  The problem is that you have more interior
bandwidth than gateway bandwidth.



At some point you have to say, I want http to receive 80% of the available
bandwidth to the server farm.  An even better solution is one that allows
specific other protocols that are important to your organization to have any
of that 80% that is unused and all other protocols can fight over the other
20%.



A slightly more detailed example might be; smtp = 40%, http = 40%.  Once you
have this, you can then say, http gets anything that smtp is not using, smtp
is gets anything that http is not using.  Everything else always fights over
the 20% + anything not used by smtp or http.



There have been several solutions mentioned so far that can do these types
of packet shaping/prioritizing/class based queuing.  The Lightspeed product
also is available as software only that you can install on any old PIII
300Mhz box you have laying around, and is free to try for 30 days.



Firewall Team

www.lightspeedsystems.com



----- Original Message -----
From: "Swift Griggs" <ssgriggs () usa net>
To: <firewall-wizards () fraggle nfr net>
Sent: Wednesday, February 14, 2001 6:39 PM
Subject: Re: [fw-wiz] Traffic Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 9 Feb 2001 bparis () sorrentolactalis com wrote:
- -=> Recently we've been experiencing "congestion" of our internet
- -=>pipe. We've tried restricting various thing like Napster, Gnutella
- -=>and the like with varying degrees of success, but as more and more
- -=>users come onto our LAN/WAN we've noticed our performance
- -=>decreasing. Rather than manage this at our firewall (with many many
- -=>rules), I'd like to know how you manage your traffic. What do you
- -=>use?

I'd recommend upgrading your network first and foremost. Cascading
switches on gigabit fabrics or very high speed backplanes tend to be the
best solution to layer 2 congestion. This may seem like a "brute force"
solution, but it's usually the most appropriate. Barring that you can also
use VLANs to segment bursty or broadcast prone segments (like tons of
winbl^H^Hdows clients broadcasting and holding SMB elections). Segmenting
server farms behind clustering devices is a definite to-do as well.
If you want to track down and eliminate activities which are not
business related (ie.. Quake, streaming porn, icecast), then look into a
decent sniffer or check out a NIDS box than can do TCP (and limited UDP)
session killing like Sessionwall, Dragon, ISS RealSecure, NetProwler,
Cisco IDS, or SNORT which will can kill these services when it detects
them. This gives you an added benefit of being able to log the
perpetrators and thus tap them on the shoulder to knock it off. Once the
word gets out that segments are being "watched" and people are actively
getting nasty-grams, you'll probably see less unnecessary traffic. My
experience is that it's pretty tough to control.
Hardware upgrades for the network need to keep up with the demands
of the users. That's not to say that people should be given free reign to
take over the network with obnoxious and wasteful activities.

SWiFT GRiGGS | NiC SG1991 | PGP D38E3D91 | SSGRiGGS () USA NET
Non Illegitemus Carborundum.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6i0Fhgta6ENOOPZERAlAIAJwPCTE1nW2gu/aHe1Y8T5KXM1aXywCfZ9p0
Q1Bca/6tAjL8Teye2znM41Y=
=pL9G
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Traffic Management bparis (Feb 11)
- RE: Traffic Management Steven Osman (Feb 12)
- Re: Traffic Management Rama Kant (Feb 12)
- Re: Traffic Management Firewall Team (Feb 13)
- Re: Traffic Management Swift Griggs (Feb 15)
  - Re: Traffic Management Firewall Team (Feb 16)
- Re: Traffic Management Ng Pheng Siong (Feb 16)
- <Possible follow-ups>
- Re: Traffic Management Alex Goldney (Feb 12)
- RE: Traffic Management Safier, Adam (GEIO) (Feb 13)
- RE: Traffic Management Paul Heber (Feb 14)