[Bro] Bro with 10Gb NIC's or higher
Aashish Sharma
asharma at lbl.gov
Fri Jan 9 11:00:54 PST 2015
While, we at LBNL continue to work towards a formal documentation, I think I'd reply then causing further delays:
Here is the 100G cluster setup we've done:
- 5 nodes running 10 workers + 1 proxy each on them
- 100G split by arista to 5x10G
- 10G on each node is further split my myricom to 10x1G/worker with shunting enabled !!
Note: Scott Campbell did some very early work on the concept of shunting
(http://dl.acm.org/citation.cfm?id=2195223.2195788)
We are using react-framework to talk to arista written by Justin Azoff.
With Shunting enabled cluster isn't even truly seeing 10G anymore.
oh btw, Capture_loss is a good policy to run for sure. With above setup we get ~ 0.xx % packet drops.
(Depending on kind of traffic you are monitoring you may need a slightly different shunting logic)
Here is hardware specs / node:
- Motherboard-SM, X9DRi-F
- Intel E5-2643V2 3.5GHz Ivy Bridge (2x6-=12 Cores)
- 128GB DDRIII 1600MHz ECC/REG - (8x16GB Modules Installed)
- 10G-PCIE2-8C2-2S+; Myricom 10G "Gen2" (5 GT/s) PCI Express NIC with two SFP+
- Myricom 10G-SR Modules
On tapping side we have
- Arista 7504 (gets fed 100G TX/RX + backup and other 10Gb links)
- Arista 7150 (Symetric hashing via DANZ - splitting tcp sessions 1/link - 5 links to nodes
on Bro side:
5 nodes accepting 5 links from 7150
Each node running 10 workers + 1 proxy
Myricom spliting/load balancing to each worker on the node.
Hope this helps,
let us know if you have any further questions.
Thanks,
Aashish
On Fri, Jan 09, 2015 at 06:20:17PM +0000, Mike Patterson wrote:
> You're right, it's 32 on mine.
>
> I posted some specs for my system a couple of years ago now, I think.
>
> 6-8GB per worker should give some headroom (my workers usually use about 5 apiece I think).
>
> Mike
>
> --
> Simple, clear purpose and principles give rise to complex and
> intelligent behavior. Complex rules and regulations give rise
> to simple and stupid behavior. - Dee Hock
>
> > On Jan 9, 2015, at 1:03 PM, Donaldson, John <donaldson8 at llnl.gov> wrote:
> >
> > I'd agree with all of this. We're monitoring a few 10Gbps network segments with DAG 9.2X2s, too. I'll add in that, when processing that much traffic on a single device, you'll definitely not want to skimp on memory.
> >
> > I'm not sure which configurations you're using that might be limiting you to 16 streams -- we're run with at least 24 streams, and (at least with the 9.2X2s) you should be able to work with up to 32 receive streams.
> >
> > v/r
> >
> > John Donaldson
> >
> >> -----Original Message-----
> >> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> >> Mike Patterson
> >> Sent: Thursday, January 08, 2015 7:29 AM
> >> To: coen bakkers
> >> Cc: bro at bro.org
> >> Subject: Re: [Bro] Bro with 10Gb NIC's or higher
> >>
> >> Succinctly, yes, although that provision is a big one.
> >>
> >> I'm running Bro on two 10 gig interfaces, an Intel X520 and an Endace DAG
> >> 9.2X2. Both perform reasonably well. Although my hardware is somewhat
> >> underspecced (Dell R710s of differing vintages), I still get tons of useful data.
> >>
> >> If your next question would be "how should I spec my hardware", that's
> >> quite difficult to answer because it depends on a lot. Get the hottest CPUs
> >> you can afford, with as many cores. If you're actually sustaining 10+Gb you'll
> >> probably want at least 20-30 cores. I'm sustaining 4.5Gb or so on 8 3.7Ghz
> >> cores, but Bro reports 10% or so loss. Note that some hardware
> >> configurations will limit the number of streams you can feed to Bro, eg my
> >> DAG can only produce 16 streams so even if I had it in a 24 core box, I'd only
> >> be making use of 2/3 of my CPU.
> >>
> >> Mike
> >>
> >>> On Jan 7, 2015, at 5:04 AM, coen bakkers <cbakkers at yahoo.de> wrote:
> >>>
> >>> Does anyone have experience with higher speed NIC's and Bro? Will it
> >> sustain 10Gb speeds or more provide the hardware is spec'd appropriately?
> >>>
> >>> regards,
> >>>
> >>> Coen
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Aashish Sharma (asharma at lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150109/8ece2184/attachment.bin
More information about the Bro
mailing list