Hi,
We're getting some push back from our central networking team about our
WAN connectivity.
Our current connection uses the standard shared campus WAN, passing
through the university firewall, then out to JISC through a redundant
pair of 10G links.
Although we have our 'grid' IP range set to be not filtered by the
firewall all packets still pass through it and still get hit with some
filtering (most recent bit of fun was SSL connections with X509
certificates being dropped because they were wrongly marked as
'insecure', essentially killing all Grid traffic).
Our traffic also causes campus-wide issues, mostly due to overloading
the firewall rather than the links themselves, so we are throttled to
~5G. While we have IPv6 addresses our traffic is being heavily throttled
(~0.3G) by university routers in the path that have very poor IPv6
performance.
The plan was to reuse some university routers to upgrade the physical
connection and to provide us a direct 10G link to the JISC WAN, with no
University firewall and (supposedly) much better IPv6 throughput.
Despite this initial progress the University is now pushing us (again)
to pay for our own direct 10G link to JISC, and pay for and install a
hardware firewall on this connection (yeah). Apparently another
department has done this (why, or how, we don't know).
What would be interesting to know before loading up my shotgun and
replying to them is whether other Grid sites do this, or have been asked
to do this. Does any other Grid site pay for a dedicated WAN uplink to
JISC just for GridPP or their department? Do you put a hardware firewall
on this path as well?
Cheers,
John
--
John Bland [log in to unmask]
Research Fellow office: 220
High Energy Physics Division tel (int): 42911
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2911
University of Liverpool http://www.liv.ac.uk/physics/hep/
"I canna change the laws of physics, Captain!"
|