Hi Matt, you might look at http://www.etinc.com/index.php?cPath=25
more $$s than your budget UNLESS you go with their software and you handle the OS/Hardware. I don't have experience with this -- yet... but thinking of using one of their appliances or get the software and trying it. -- Thanks again, -jason [EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - > Wednesday, February 16, 2005, 2:18:27 PM, you wrote: M> I just wanted to follow up on this thread.� First, thanks for M> all of the suggestions.� Here's a summary of what caught my eye. M> 1) There are some decent choices out there, and seemingly a M> 3COM SuperStack 3 3226 comes at a nice price point (around $500) M> and allows limiting per port at 1 Mbps increments and also does 7 M> custom levels of protocol prioritization.� This was suggested to me M> off-list.� It seems like a good thing for colocation since you M> don't care for more granularity among your customers, they can M> choose to do with their bandwidth what they wish.� I'm not into M> colocation yet and this probably falls short of my needs otherwise. M> 2) I was also intrigued by the NetEqualizer product, which M> seems to be a the commercial version of an open source project M> called Linux Bandwidth Arbitrator (www.bandwidtharbitrator.com).� M> This might very well offer functionality beyond all of the M> switches, but offers more complication in setup and management M> unless you go with the for-profit version.� This is of course not a M> switch, but that's ok since cheap switches can be placed behind it. M> 3) Cisco is of course a popular choice, but I'm not a fan of M> their ridiculous licensing schemes for the software and high M> prices.� Used, these things come fairly cheap, but they are the M> 'Outlook' of routers and switches, and the most likely to be M> targeted by exploits.� For that reason, I am probably going to M> migrate away from anything Cisco once I outgrow what I already M> have.� I may change my mind however. M> 4) I don't think I need a firewall, or don't want to deal with M> the expense and limitations of it (concurrent sessions, etc.).� I M> have so few ports open that I'm fine with router level protection M> and this is exclusively a DMZ with no client computers behind it. M> Despite what these products offer, I still think that the M> switches generally come up short of being a perfect solution to my M> needs (that of a Web hosting/E-mail provider).� I essentially have M> 5 services that I need to support across 3 machines; HTTP, FTP, M> DNS, SMTP, and POP3.� It seems that by just simply bandwidth M> limiting a port, I won't be able to slow down but a portion of the M> problematic bandwidth and there can be other issues caused by that M> (such as limiting all HTTP because of one site that is getting M> hammered).� It would be best to limit HTTP by IP instead of by M> port.� I haven't tested it out yet, but it may be that IIS will M> actually work when limiting in Windows 2003 unlike 2k, and that may M> solve my issue on that front at least.� FTP may or may not be M> covered by the same, I'm not sure yet. M> It seems however that some of the worst issues are coming from M> fairly unique situations and specific IP addresses.� Conditions M> like E-mail loops can not only bring down a mail server, but also M> bring down a whole network if all of your bandwidth is used.� This M> of course can also affect POP3 service. If a customer does a mass M> mailing with huge images sourced from their site, the bandwidth M> could also bring us down without limits.� I even had a customer M> send 144 messages out the other day with a 2.5 MB attachment, and M> if you do the math, you will find that this was 400 MB of bandwidth M> that IMail naturally attempts to deliver ASAP.� I've also noted M> that IMail doesn't do well with response times under heavy M> bandwidth load even if the CPU is fine while other services on the M> same box have far less latency.� This affects the quality of M> service to my customers, and I like things to be responsive. M> So what I am really looking for is some way to protect Web M> hosting clients from another Web hosting client's issue, protect M> POP3 service from having the bandwidth bogarted by some SMTP loop, M> or FTP, or HTTP, etc.� Since everyone shares the same MX records, M> and the same outgoing SMTP and POP3, it's hard to find decent M> separation unless I get down to the IP level and start limiting M> things based on at least the destination IP if not the source IP M> also.� To do anything less would seem to be somewhat futile because M> I would continue to have sporadic issues with the most problematic M> things which can be long-lived to the point that they are M> resolved/blocked (DOS or loops for instance). M> I kind of get the feeling that a hardware based solution M> living in a switch or firewall of some sort might not be M> appropriate because it would be too expensive for me to justify.� M> It seems that a Linux solution such as Bandwidth M> Arbitrator/NetEqualizer would need to be added in order to properly M> achieve the level of granularity that I desire without enormous M> cost. M> I have another qualification for this.� I wish to spend less M> that $1,000 and have my network be survivable with a failure of M> this device.� If I was using a switch based solution, I would need M> two switches for redundancy (though maybe a backup cheap switch).� M> A firewall/router would likely be prohibitively expensive if you M> went for redundancy.� An in-line Linux solution could however be M> simply bypassed in the event of an outage, though it would need to M> be very stable and probably won't be as stable as a good switch... M> Does anyone have any feelings on this, and maybe some pointers M> to other in-line software solutions that might fit the bill? M> Thanks, M> Matt M> Markus Gufler wrote: M> It M> might even be nice to do this on a per-IP basis instead of a M> per-port basis, though that's not absolutely necessary. M> Since this is a Web hosting segment and our bandwidth is M> naturally limited going out, and very little intra-DMZ M> traffic exists, something that is 10/100 is all that is necessary. M> Maybe give a look to a Fortinet 50 or 60-series Firewall. You can manage M> guaranted & max traffic and also priorize certain protocols. The price M> shouldn't be higher then a manageable switch with traffic shapping M> capabilities. M> If you want to monitor each switch port with SNMP unfortunately the cheap M> Syslink Switch has no SNMP support. At the moment I look for different M> solutions. Certain Cisco Catalyst switches looks promising but also the good M> old HP ProCurve 2512/2524. M> Markus M> --- M> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] M> --- M> This E-mail came from the Declude.JunkMail mailing list. To M> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and M> type "unsubscribe Declude.JunkMail". The archives can be found M> at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
