Re: performance NAT versus DR ?

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: performance NAT versus DR ?
From:	Joseph Mack <mack.joseph@xxxxxxx>
Date:	Mon, 29 Jan 2001 08:42:26 -0500

Alois Treindl wrote:
> 
> On Mon, 29 Jan 2001, Joseph Mack wrote:
> 
> > When I compared DR (using Julian's martian patch, which allowed the director
> > to be the default gw for the real-servers) and NAT, at the same packet
> > throughput, the load average was 5 on the NAT director and the keyboard
> > and mouse weren't responding anymore, while the DR director had low load
> > average (<0.1 I think) and the mouse and keyboard responded just fine. I 
> > assume
> > the rewriting of packets in NAT is the main load on the director. The same
> > CPU can push the VS-DR packets through without any apparent effort.
> 
> Do I understand this correct?
> 
> The director was in both cases in a two-NIC configuration, so it
> would also have to pass the return packets from the internal NIC to
> the external NIC, even in DR mode?

yes

> I am surprised that there should be a big laod difference, whether those
> packets are re-written or just passed.

I didn't know enough to make a prediction. I made up hand
waving explanations
after the fact but I don't know if they're correct.

> Also, if I use the director as a firewall with ipchains and packet
> filters, will it not anyway have to inspect each outgoing packet header,
> independent whether it runs a NAT or DR configuration? Is there a reason
> why I should see much difference in load levels then?

I understand that smart (and expensive) ethernet cards on
non-linux systems can inspect
the source and destination of a packet and forward the
packet without reading
the rest of the packet and without intervention of the CPU.
There appears
to be kernel code in linux (I think called "fast copy") that
works with 
tulip cards that sounds a bit like this. However the cheap
NICs I have
are not supposed to be able to do any of this. 

I found that high packet throughput on VS-DR director with
Julian's 
martian modification put little load on the director and
that VS-NAT
did. I explain it by saying that the rewritting of the
packet causes
the load, but I don;t really know. I expect that routing
tables 
derived from rules using only the source/dest addresses will
also 
not load the CPU much.

I don't know why though.

Joe 

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer
Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA

<Prev in Thread]	Current Thread	[Next in Thread>
performance NAT versus DR ?, Alois Treindl Re: performance NAT versus DR ?, Horms Re: performance NAT versus DR ?, Alois Treindl Re: performance NAT versus DR ?, Joseph Mack Re: performance NAT versus DR ?, Alois Treindl Re: performance NAT versus DR ?, Joseph Mack <= Re: performance NAT versus DR ?, Joseph Mack Re: performance NAT versus DR ?, Kyle Sparger Re: performance NAT versus DR ?, Joseph Mack Re: performance NAT versus DR ?, Kyle Sparger Re: performance NAT versus DR ?, Joseph Mack Re: performance NAT versus DR ?, Julian Anastasov Re: performance NAT versus DR ?, Kyle Sparger Re: performance NAT versus DR ?, Julian Anastasov Re: performance NAT versus DR ?, Kyle Sparger Re: performance NAT versus DR ?, Julian Anastasov

Previous by Date:	Re: performance NAT versus DR ?, Alois Treindl
Next by Date:	Re: load balancing between firewall/vpn boxes, Matthias Weidle
Previous by Thread:	Re: performance NAT versus DR ?, Alois Treindl
Next by Thread:	Re: performance NAT versus DR ?, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]