Le 20/03/2008 14:34, Tom Yates a �crit:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
That is a very strange setup !
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
If the filtering equipments do their job correctly there might be no performance penalty BUT - experience says that this kind of device always has some limits and that the network performance needed for the filer to do its job correctly will probably not be met - experience says that building a storage network that works well is not an easy task so putting filtering equipements is clearly asking for trouble (and not only performance troubles) - depending on the filtering equipments capabilities, such a setup might prevent you to use some things like jumbo frames or vlans.
If you absolutely need to inspect the nfs / cifs traffic for accounting purposes, configure your switch to mirror the netapp's port to another where the ids is plugged in. This way, it cannot interfere with the production traffic.
Regards,