Hi John,
As we're a small Tier 2 site in the largest University in the
country I don't think my experiences will necessarily be useful to you.
Having said that, I've found our network people to be generally
supportive. I want to make a particular point to reinforce Simon's
comments about firewalls. The University bought a pair of IDS/IPS units
about a year ago. These are connected to the University's two 20Gbps
connections to JANET, and are supposed to comfortably cope with the
throughput. Well, up to a point m'lud. For general-purpose traffic they
do - but they throttle individual data transfers to 1Gbps. I had to
arrange a bypass (which they agreed to without quibbling) for us to get
us back to expected throughput. Hence you should definitely read the
small print on any proposed firewall device to be sure that it can
really perform at 10Gbps.
My 2 pennorth,
John
On 26/01/2018 09:08, George, Simon wrote:
> Hi John,
> This does seem outrageous and not at all constructive.
> At RHUL we certainly don't pay for our own direct connection to JISC and
> don't have (much of a) a firewall.
> Fortunately our network team have been very understanding of our needs.
> I have found it very productive to get them talking directly with JISC,
> and have arranged joint meetings with help from Duncan Rand who
> straddles JISC and GridPP. My understanding is that the 2x10Gb (+2
> backup) links at RHUL do not cost significantly more than 1x 10 Gb/s.
> Their position has always been that links and bandwidth will be provided
> where there is a demonstrable need. GridPP pretty much automatically
> establishes that and your current use backs that up.
> Indeed when we asked about using the backup link to get 20 Gb/s they
> said why not just get another link if you need it.
>
> Re. the firewall, we had our own 7Gb/s rated firewall that maxed out at
> 3Gb/s with our typical Grid traffic. We discussed this with the networks
> team, explained that other sites (gave examples) are putting storage (i.e
> A well defined class of well managed machines providing a specific
> service) outside the firewall to get the 10Gb/s throughput of the link,
> and they agreed to this and helped us set it up.
> The cost of a firewall that can really do 10Gb/s throughput is likely to
> be high. You could try getting a quote.
> Hope this helps!
> Simon
>
> On 26 Jan 2018 08:20, John Bland <[log in to unmask]> wrote:
>
> Hi,
>
> We're getting some push back from our central networking team about our
> WAN connectivity.
>
> Our current connection uses the standard shared campus WAN, passing
> through the university firewall, then out to JISC through a redundant
> pair of 10G links.
>
> Although we have our 'grid' IP range set to be not filtered by the
> firewall all packets still pass through it and still get hit with some
> filtering (most recent bit of fun was SSL connections with X509
> certificates being dropped because they were wrongly marked as
> 'insecure', essentially killing all Grid traffic).
>
> Our traffic also causes campus-wide issues, mostly due to overloading
> the firewall rather than the links themselves, so we are throttled to
> ~5G. While we have IPv6 addresses our traffic is being heavily
> throttled
> (~0.3G) by university routers in the path that have very poor IPv6
> performance.
>
> The plan was to reuse some university routers to upgrade the physical
> connection and to provide us a direct 10G link to the JISC WAN, with no
> University firewall and (supposedly) much better IPv6 throughput.
>
> Despite this initial progress the University is now pushing us (again)
> to pay for our own direct 10G link to JISC, and pay for and install a
> hardware firewall on this connection (yeah). Apparently another
> department has done this (why, or how, we don't know).
>
> What would be interesting to know before loading up my shotgun and
> replying to them is whether other Grid sites do this, or have been
> asked
> to do this. Does any other Grid site pay for a dedicated WAN uplink to
> JISC just for GridPP or their department? Do you put a hardware
> firewall
> on this path as well?
>
> Cheers,
>
> John
>
> --
> John Bland [log in to unmask]
> Research Fellow office: 220
> High Energy Physics Division tel (int): 42911
> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2911
> University of Liverpool http://www.liv.ac.uk/physics/hep/
> "I canna change the laws of physics, Captain!"
>
>
|