Re: [LARTC] How many (htb) tc classes and qdiscs are too many?
Spencer wrote: We have a Linux box that is acting as the gateway to the internet for about 400 people, typically there are not more then 50 of them using the internet at any given time. We would like to provide different levels of access to different users. For example 128kbps to some users and 256kbps to others. We have considered creating a class and qdisc for each user (using htb) however we don't know how much overhead creating 50-200 classes and qdiscs would involve, would this put too much strain on the Linux box? Is it better to create fewer classes and qdisc and assign multiple users to each? I haven't been able to find any test on maximum effect number of qdiscs, but it could be I have just been looking in the wrong place. If any one has any ideas or could point me in the right direction it would be greatly appreciated. I have P4 3.0 GHz, 1 GB RAM. I have 3500 potential users (top load about 800 users, average 400). I have 3 interfaces (2 WAN + 1 LAN), so I have 10500 queues total (3500 on each interface). The traffic is 24Mbit max, average 20Mbit. Without u32 hashing my box run at 60-70% CPU utilization. After applying hashing the box is running with 25% top utilization, average 15%. The two thing you must remember when running a box for many users: * use iptables chains. I prefer chains of 30-40 entries. * use u32 hashing. This will greatly improve CPU utilization. About 500-1000% in my case. Szymon Miotk ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] how can I monitor a (dumb) switch ?
Hello there, Can anyone help me with a problem i have I have an ethernet LAN, made over dumb fast-ethernet switches (10/100mbit) without management, so there is no IP for the switches. What I want, if possible, is to find out if a switch is down or not. It's like with routers... if you want to find out if a router is OK, either you send ICMP directly to the router, or to a host behind the router. Is there any device, or ANY OTHER possibility that I can find out if a switch is unplugged or broken. Users on my LAN aren't reliable (they have firewalls, closed computers, etc.), so pinging users that are linked to a switch to find out is out of the question. I have got an ideea that if I take an ehernet card, and somehow manage to put power in it, than I would have a device with MAC addres to arping ... is this correct ? MANY thanks in advance, and SORRY for being a bit out of topic. Best regards, Radu. -- Radu Cugut mobile: +40 742 045686 web:http://rcugut.has.it ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how can I monitor a (dumb) switch ?
Hi, Radu You simply cannot monitor a switch that is uncapable of monitoring. It is as easy as that. Nevertheless, you can fake the monitoring part by arping to the users connected directly to that switch. Arping, because is a layer2 app, goes beyond (or better yet, beneath) any firewall. If a firewall blocks broadcast arp requests, then it will render the machine network-less, so no firewall does that. So, grab your linux box, and start arping! P.S. Read the thread on mac and IP changing, I feel like we are in rather the same position... Hello there, Can anyone help me with a problem i have I have an ethernet LAN, made over dumb fast-ethernet switches (10/100mbit) without management, so there is no IP for the switches. What I want, if possible, is to find out if a switch is down or not. It's like with routers... if you want to find out if a router is OK, either you send ICMP directly to the router, or to a host behind the router. Is there any device, or ANY OTHER possibility that I can find out if a switch is unplugged or broken. Users on my LAN aren't reliable (they have firewalls, closed computers, etc.), so pinging users that are linked to a switch to find out is out of the question. I have got an ideea that if I take an ehernet card, and somehow manage to put power in it, than I would have a device with MAC addres to arping ... is this correct ? MANY thanks in advance, and SORRY for being a bit out of topic. Best regards, Radu. -- Radu Cugut mobile: +40 742 045686 web:http://rcugut.has.it ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] How many (htb) tc classes and qdiscs are too many?
Hello I have 4000 users and i use hfsc for shaping them. Each class has own qdisc(esfq) tc -s -d qdisc show dev vlan0891 | grep qdisc | wc -l 4355 tc -s -d qdisc show dev eth2 | grep qdisc | wc -l 4355 I use hashing filters. System is: P4 3.2GHz (HT enabled) 2GB RAM 2xIntel gigabit (Napi enabled) Machine load is: 12:57:06 up 11:24, 2 users, load average: 0.00, 0.05, 0.06 mpstat -P ALL 1 (output) Linux 2.6.12-rc5-git6 (natjawman) 06/03/05 12:57:24 CPU %user %nice %system %iowait%irq %soft %idle intr/s 12:57:25 all 12.000.00 30.500.000.50 14.50 42.50 4990.00 12:57:25 0 12.000.00 32.000.001.00 13.00 42.00 3390.00 12:57:25 1 12.000.00 29.000.000.00 16.00 42.00 1603.00 12:57:25 CPU %user %nice %system %iowait%irq %soft %idle intr/s 12:57:26 all 11.500.00 30.500.000.50 16.50 41.00 4970.00 12:57:26 0 12.000.00 29.000.000.00 17.00 42.00 3302.00 12:57:26 1 11.000.00 33.000.001.00 16.00 41.00 1666.00 12:57:26 CPU %user %nice %system %iowait%irq %soft %idle intr/s 12:57:27 all 12.940.00 29.850.000.50 14.43 42.29 4998.02 12:57:27 0 12.870.00 30.690.000.99 14.85 40.59 3324.75 12:57:27 1 13.860.00 28.710.000.00 13.86 42.57 1674.26 12:57:27 CPU %user %nice %system %iowait%irq %soft %idle intr/s 12:57:28 all 11.500.00 29.000.000.50 19.00 40.00 4912.87 12:57:28 0 11.880.00 31.680.000.99 15.84 39.60 3304.95 12:57:28 1 10.890.00 25.740.000.00 21.78 40.59 1608.91 Peak bw is 32Mbit/s Average bw 25Mbit/s Machine is doing also SNAT to all clients: iptables -L -n -v -t nat | grep SNAT | wc -l 4465 Some example script which i use for hashing filters is in attachement. Best Regards Pawe Staszewski ART-COM +48327522333 +480609183038 [EMAIL PROTECTED] 06/03/05 8:37 am Send LARTC mailing list submissions to lartc@mailman.ds9a.nl To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of LARTC digest... Today's Topics: 1. Re: how to configure linux in production line (/dev/rob0) 2. Re: HTB on loopback gives a bit rate multiplied by 8 (Kiruthika Selvamani) 3. Re: how to configure linux in production line (Taylor, Grant) 4. iproute + xml (Alberto Torres) 5. Re: HTB on loopback gives a bit rate multiplied by 8 (Andy Furniss) 6. How many (htb) tc classes and qdiscs are too many? (Spencer) 7. Re: [PATCH] Support module autoloading in iproute2 (Stephen Hemminger) 8. Re: How many (htb) tc classes and qdiscs are too many? (threaded) 9. Re: iproute + xml ([EMAIL PROTECTED]) 10. Re: How many (htb) tc classes and qdiscs are too many? (Szymon Miotk) -- Message: 1 Date: Thu, 02 Jun 2005 06:34:14 -0500 From: /dev/rob0 [EMAIL PROTECTED] Subject: Re: [LARTC] how to configure linux in production line To: LARTC@mailman.ds9a.nl Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Gonn Star wrote: I am new in linux world,basically I'm using red hat 9 kernel 2.4.20-8. I need to build a trusted gateway. my Whoa! You are starting out with something very old and bug-ridden. You should scrap that and switch to a current release, whatever distro you may choose. Quite a few of those old bugs can bite very hard, including root compromises. Being new, did you know how to update for security? Sure, there's Fedora Legacy which may or may not be supporting the old stuff with updates, but that is intended for people who have long-running stable servers ... not to entice new users to RH 9. linux box will be the gateway for several machine PCs to go to the desired server. there will be several subnets under the linux box, I've already assigned static IPs for the PCs . Now my problem is I only need 2 PCs from each subnets to connect to certain servers, and those 2 PCs can only have transaction(open) to the specified servers, for others it will drop(firewalled). for other PCs, they can't log on to the outside world. should I use only iptable rules or with the help of squid(ACL) as well ? You do not seem to understand that HTTP is just one of many TCP/IP protocols, and yet you want to set up complex networking controls. Anyone who knows more than you do would likely find it a trivial task to get around your controls. please add up
Re: [LARTC] How many (htb) tc classes and qdiscs are too many?
Konrad wrote: We have an error talking to the kernel loops: 684 filters: 4788 classes: 2052 What's wrong? I need more filters :/ I have 2.6.11.11 kernel with new iproute2, u32 match mark support and IMQ (AB)... Everyone can make theoretically 0x (65535) classes and qdiscs on one device. And I think this is true, but I can't add more filters then 4775! :( --- v=1; cnt=0; tc qdisc add dev imq0 root handle 1:0 htb while : [ $v -le 11000 ]; do Loops for ever with the colon after while for me. qu0=`printf %x\n $v` qu1=`printf %x\n $v` So qu0 = qu1 which makes tc filter add dev imq0 protocol ip parent 1:$qu0 pref 5 u32 match ip dst 192.168.0.5 flowid 1:$qu1 illogical. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how can I monitor a (dumb) switch ?
On Fri, Jun 03, 2005 at 11:24:13AM +0300, Radu CUGUT wrote: Hello there, Can anyone help me with a problem i have I have an ethernet LAN, made over dumb fast-ethernet switches (10/100mbit) without management, so there is no IP for the switches. What I want, if possible, is to find out if a switch is down or not. :-) ((never tried, didnt think even a little, but...)) Plug two more cards into you linux box, connect them both to the switch, make them an interfaces of one bridge inside you linux box and bring up STP over there. I guess bridge should detect a loop quickly and block one port. Then you'll be able to monitor bridge's state. Uh? Sorry if I'm wrong!-) It's possible quite now... Best regards, Radu. -- -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' `G.m-^m`m'Dmytro O. Redchuk ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how can I monitor a (dumb) switch ?
Dmytro O. Redchuk [EMAIL PROTECTED] wrote: On Fri, Jun 03, 2005 at 11:24:13AM +0300, Radu CUGUT wrote: I have an ethernet LAN, made over dumb fast-ethernet switches (10/100mbit) without management, so there is no IP for the switches. What I want, if possible, is to find out if a switch is down or not. [...] Plug two more cards into you linux box, connect them both to the switch, make them an interfaces of one bridge inside you linux box and bring up STP over there. I guess bridge should detect a loop quickly and block one port. Then you'll be able to monitor bridge's state. I suspect that the bonding driver would also do what you're looking for. Docs can be found at: http://sourceforge.net/projects/bonding It can either monitor the link state, or issue ARP probes (as somebody else suggested) to check connectivity to a peer on the local network. Judging from my experience with managed switches, I suspect that the bonding driver (in active-backup mode, for example) would detect link failure faster than STP. -J --- -Jay Vosburgh, IBM Linux Technology Center, [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] How many (htb) tc classes and qdiscs are too many?
I found thing which causes this problem. tc filter add dev imq1 protocol ip parent 2:0 pref 4 u32 match ip src ... match ip dst ... flowid 2:$q If parent is 2:0 then I can make many filers But if I use 2:x (other class, x is diffrent that root number) I'll have only limited number of filters. You must set PRIO (= PREF)!... Will someone write patch? ;P It is very important problem! Filters in classes is being better working... (this is my opinion) when you have 5000 filters grouped in classes... (Or any volunteer to teach me how to write patches :P) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: LARTC Digest, Vol 4, Issue 9
Daniel Lopes wrote: Ping a client you surely know should be connected to the switch. ARP will take the part to find out the hardware address so the packet can be delivered. If the switch is on it should find a hardware address and ARP should put it in your ARP cache. It´s independet from ICMP blocks and similar. So after trying to ping you should have an entry in your ARP table which you can control with arp command. It seems that I didn't make myself quite clear ... I want to know if there is a way to find out if a switch is working ok or not. If there is something like a small device, that I plug into the switch, ant then if that device reports in ok, then I know the switch is working. Like on a router... if you want to know if a router is doing it's job, than you send an ICMP echo request to a host on the other side of the router. ME ROUTER - testing host well, I want the same thing but on an inferior layer, on a switch. ME - SWITCH testing device I want to know if thare can be such thing as a testing device. I thought of an ethernet card, that i plug in the switch, power the card up, and then somehot arping the card, from witch I know the MAC. ... but i don't think it works just like that :(. Hope I was specific enough this time Thanks for the (possible) answers. Best regards, Radu. -- Radu Cugut mobile: +40 742 045686 web:http://rcugut.has.it ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: LARTC Digest, Vol 4, Issue 9
Radu CUGUT schrieb: Daniel Lopes wrote: Ping a client you surely know should be connected to the switch. ARP will take the part to find out the hardware address so the packet can be delivered. If the switch is on it should find a hardware address and ARP should put it in your ARP cache. It´s independet from ICMP blocks and similar. So after trying to ping you should have an entry in your ARP table which you can control with arp command. It seems that I didn't make myself quite clear ... I want to know if there is a way to find out if a switch is working ok or not. It seems you can´t read. To ping someone you exactly know is connected to the switch is the easiest way to get an arp cache entry. If you don´t get an entry the switch is not working or the other one is blocking arp what shouldn´t happen because he wouldn´t be able to receive any packets. Just try what I said. Blocking protocols like ICMP doesn´t have an impact on the work of arp respectively ethernet. Exactly spoken no impact of getting the hardware address. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc