Stephen,
IPSec is one means to control/secure traffic to and from the server. The box
is behind a proxy/firewall that communicates with the CF server over IPSec.
The Intel NICs are there to relieve load attributed to IPSec only. The
Pro/100 Intelligent Adapter is geared more towards having lots of generic
traffic and/or numerous VLANs. Intel accomplishes this primarily with the
i960 CPU. The Pro/100 S Adapter is made specifically for encrypted traffic,
more so on Windows NT/2000. If you have a high load server(s) that is/are
becoming CPU bound due to generic network traffic and the interrupt requests
that it generates, then get the Intelligent Adapter. For servers that use
IPSec, and DES/3DES in particular, the S Adapter will off-load the
encryption from the system CPU. From what I've read of reviews and
whitepapers, the same style of 3COM cards will do the same thing as the
Intel Intelligent line if there isn't any encryption to take care of but,
will also perform encryption acceleration like the S when there is encrypted
traffic.
The choice between the two is a matter of application. If the server/NIC
services high volume, low encryption traffic I would go with the Intelligent
whereas the S is better for encryption with IPSec. The thing to remember is
that neither of these is specifically for SSL. For that I would use a NIC
that is specifically for SSL or an SSL accelerator, which is different from
a NIC. I haven't tried benchmarking one of each NIC to see how they compare
in similar situations. We were seeing more CPU utilization attributed to
IPSec than to the network load, hence the decision.
Here's a sketchy diagram of how I understand the two adapters with respect
to encryption (Intelligent vs. S)
Intelligent
***********
Client --> encrypted traffic --> I Adapter --> encrypted information -->
server CPU (decrypt)
Server CPU (encrypt) --> encrypted information --> I Adapter --> encrypted
traffic --> Client
S-type
***********
Client --> encrypted traffic --> S Adapter (decrypt) --> plaintext
information --> server CPU
Server CPU --> plaintext information --> S Adapter (encrypt) --> encrypted
traffic --> Client
Did I explain myself well enough? Does anyone else have additional
information?
Regards,
Steve
-----Original Message-----
From: Stephen M. Aylor [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 5:38 PM
To: [EMAIL PROTECTED]
Subject: Re: Let's Brag...
Steve,
Interesting ... the use of the Intel 100s' - love the Intel Server NIC's
myself
Why's you decide to use the IPSec NIC's vs. say the 10/100 "Intelligent"
server adapters with the onboard CPU's?
Processing credit cards or... ?
Sorry if this is a DAQ... just real curious.
Stephen M. Aylor
Aylor Insurance Agency, Inc.
"Specialized insurance for Technology Risks"
[EMAIL PROTECTED]
949.581.2333 voice
949.581.2814 faxe
----- Original Message -----
From: "Steve Bernard" <[EMAIL PROTECTED]>
> You have probably started more than you intended but, here goes ...
>
> This is the biggest system that we have dedicated to CF:
>
> Dell 6350
> Quad-Xeon 700MHz w/1MB cache
> 4GB RAM
> PERC2 RAID w/128MB cache, read/write cache enabled
> 4 x 9.1GB 10k RPM HD, RAID 5
> 2 x Intel Pro 100S w/IPSec
> APC Symmetra Power Array for UPS
>
> This is obviously a monolithic server vs. using a cluster of smaller
boxes.
>
> Regards,
>
> Steve
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
