Hi John,
From the filtering the traffic point of view, we have two routes into/out of the Tier1 from/to the JANET border routers: 1) via the firewall to the site switch core and then on to us on the Tier1 Routers, and 2) via the bypass which comes from the border routers direct to the OPNR (router). The latter takes the data traffic to/from the storage servers in the OPN subnet and the rest goes through the firewall. Thus two separate (different ip address) gateways for the traffic to leave by. (There's a third router but let's not go there, not relevant to the Tier1).
The important bit is that the OPNR filters ports on the inbound bypass route - it passes only the traffic on the ports we want (ipv4 and ipv6). Hardly seems to trouble the stacked S4810s that do it. No dedicated firewall to get in the way and given the less than stellar performance of the site firewall atm, just as well. Not sure whether that sort of approach might be doable for you.
As to traffic congestion, if it's truly the firewall generating the problem for you *and* everyone else, bypass it. If it's actual volume of traffic from the whole university, then they 'need a bigger boat.' ;-)
Martin.
--
Martin Bly
RAL Tier1 Fabric Manager
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of John Bland
> Sent: Friday, January 26, 2018 8:21 AM
> To: [log in to unmask]
> Subject: WAN Woes
>
> Hi,
>
> We're getting some push back from our central networking team about our
> WAN connectivity.
>
> Our current connection uses the standard shared campus WAN, passing
> through the university firewall, then out to JISC through a redundant pair of
> 10G links.
>
> Although we have our 'grid' IP range set to be not filtered by the firewall all
> packets still pass through it and still get hit with some filtering (most recent bit
> of fun was SSL connections with X509 certificates being dropped because they
> were wrongly marked as 'insecure', essentially killing all Grid traffic).
>
> Our traffic also causes campus-wide issues, mostly due to overloading the
> firewall rather than the links themselves, so we are throttled to ~5G. While we
> have IPv6 addresses our traffic is being heavily throttled
> (~0.3G) by university routers in the path that have very poor IPv6 performance.
>
> The plan was to reuse some university routers to upgrade the physical
> connection and to provide us a direct 10G link to the JISC WAN, with no
> University firewall and (supposedly) much better IPv6 throughput.
>
> Despite this initial progress the University is now pushing us (again) to pay for
> our own direct 10G link to JISC, and pay for and install a hardware firewall on
> this connection (yeah). Apparently another department has done this (why, or
> how, we don't know).
>
> What would be interesting to know before loading up my shotgun and replying
> to them is whether other Grid sites do this, or have been asked to do this. Does
> any other Grid site pay for a dedicated WAN uplink to JISC just for GridPP or
> their department? Do you put a hardware firewall on this path as well?
>
> Cheers,
>
> John
>
> --
> John Bland [log in to unmask]
> Research Fellow office: 220
> High Energy Physics Division tel (int): 42911
> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2911
> University of Liverpool http://www.liv.ac.uk/physics/hep/
> "I canna change the laws of physics, Captain!"
|