Hardware Support…
-
Hey guys…
I came across a McAfee Intrushield M-8000P
From the outside looks like a SOLID Firewall / Security Platform.
Unit has 8 XFP ports (10GBe), 8 SFP (2 or4 GBe dependant on SFP) and 10 GBe and has 24GB of DDR2 but have no idea of processor power.
From McAfee's http://www.mcafee.com/us/resources/data-sheets/ds-network-security-platform.pdf the throughput is 10Gbps and 8.8Gbps with 10% SSL .Makes me wonder is i should scrap the idea of of the DL360 G4 for firewall and replacing it with this unit instead as it seems its purpose built.
The only thing i don't like is the idea of fees to McAfee to keep this running so instead i was thinking pfSense.So…
Here's where you guys come in with your knowledge and input with pros and cons :) -
That was one beefy hardware.. i found nothing about RAM-size in the document though? If you are lucky it's maybe built on a low-power Xeon-processor. Can you maybe open it and check for leads on the hardware?
-
I personally think it may be more than 1 processor for that much throughput.
Also 24GB is how much the unit im looking at is equipped with.What I'm trying to achieve is a seamless firewall with some AV functionality.
My server (HP C7000) already has network consolidation to 4x 10GBe (XFP) and my switch also has 4x 10GBe (CX4) uplinks.
-
Hey guys…
I came across a McAfee Intrushield M-8000P
From the outside looks like a SOLID Firewall / Security Platform.
Unit has 8 XFP ports (10GBe), 8 SFP (2 or4 GBe dependant on SFP) and 10 GBe and has 24GB of DDR2 but have no idea of processor power.
From McAfee's http://www.mcafee.com/us/resources/data-sheets/ds-network-security-platform.pdf the throughput is 10Gbps and 8.8Gbps with 10% SSL .Makes me wonder is i should scrap the idea of of the DL360 G4 for firewall and replacing it with this unit instead as it seems its purpose built.
The only thing i don't like is the idea of fees to McAfee to keep this running so instead i was thinking pfSense.So…
Here's where you guys come in with your knowledge and input with pros and cons :)Price. The 8000 series is >$30K. For that price you can build an HA pair of PfSense boxes and still save $20K.
-
However if it was only $250 it would be tempting. ;)
Steve
-
However if it was only $250 it would be tempting. ;)
Steve
That's the one ;)
$250 + $125 S&H + Custom and Brokerage Fees.
Got an email back from the vendor and said they have no further knowledge about this box besides the fact that it was pulled in a working condition.
My main breakout switch is a 48 port Gigabit - Fortinet/ Woven Systems TRX100-CX4 ( bought it from the same vendor )
Current Network Blueprint :
Firewall : DL360 G4 with 8GB RAM and DUAL 3.0ghZ XEON's with a MELLANOX INFINIHOST DUAL 10G PCI-X card
Switch : Fortinet/ Woven Systems TRX100-CX4
Server : C7000 -
Why not run it in a VmWare environment instead? Upgrade the hardware as you go….
-
I don't know what you are firewalling with that but I would think it can handle just about anything.
You should be aware that that unit is only half an M-8000
@IntruShield:The M-8000 sensor consists of two 2RU units
also
@https://kc.mcafee.com/corporate/index?page=content&id=KB52406&cat=CORP_INTRUSHIELD_SENSOR_HARDWARE&actp=LIST:
Summary
Can the two Sensors that make up the M-8000 Sensor Unit be used independently or separately as individual 5Gbps Sensors?
Solution
No. The M-8000 is a 10Gbps solution and the P and the S units must be used together.Probably not a problem if you want to run pfSense (if it can) but you may only get 5Gbps!
Steve
-
I don't know what you are firewalling with that but I woud think it cam handle just about anything.
You should be aware that that unit is only half an M-8000Probably not a problem if you want to run pfSense (if it can) but you may only get 5Gbps!
Steve
Not an issue.
The M8000 platform comprises of 2 M-6050 units acting as (M8000P & M8000S). The listing in the eBay is basically a M-6050 unit since the M8000 is just 2 units acting as Primary & Secondary 'cluster'.
Effectively, the unit will still come with 8 x 10GBe SFP ports.
The fastest I've seen anyone go on pfSense in the forums dates a while back to high 4Gbps with dual-multicore Xeons and 10GBe copper NICs. Close enough to the rated speed for the M6050 by Mcafee. Without knowing more about the actual hardware inside the unit, I can say for sure whether the M6050 is actually compatible with pfSense though. -
Ah interesting. I guess it's all down to licensing.
I've been Googling this out of interest and it's almost impossible to find any useful hardware info. Like you say it must be relatively high end in order to pass that much traffic. The only other possibility is that it's some bespoke silicon in which case you'd have a hard time getting pfSense to run however that seems very unlikely. The only other clue is it's 525W power draw. So what was consuming 500W 5 years ago by way of server hardware?Steve
Edit: Make that 450W, where did I read 525?…. :-\
-
Ah interesting. I guess it's all down to licensing.
I've been Googling this out of interest and it's almost impossible to find any useful hardware info. Like you say it must be relatively high end in order to pass that much traffic. The only other possibility is that it's some bespoke silicon in which case you'd have a hard time getting pfSense to run however that seems very unlikely. The only other clue is it's 525W power draw. So what was consuming 500W 5 years ago by way of server hardware?Steve
Edit: Make that 450W, where did I read 525?…. :-\
I can only find references to it from 2008 actually.
More importantly for figuring the hardware, it's the ram being used. The power envelope and the use of DDR2-667 ram implies that it is Core 2 based Xeon. As to which generation of Core 2 architecture will have to be guessed.
For performance, a pair of high speed Core 2 Quad based Xeons should be sufficient for generating that kind of performance on a tweaked proprietry Linux OS like with Mcafee.
The throughput performance limit at about 4.xGbps on pfSense is largely due to the firewalling process not being multi-threaded. Hence, it's limited to what one core can handle regardless of the amount of available processing power. -
Hmm…
Wondering if anyone would be interested in porting a multi processor and Multi core support for a bounty...
I'm gonna sit back and watch this thread for now and go from there :)Also it seems to me that most people on here are worried so much about power consumption and performance.
I for 1 know that that's impossible to get both in 1 unit !Routing, filtering and the rest of the roles that pfSense does, require a little bit of muscle if you want to go fast.
Now keep in mind that I'm on 250Mbit Service and upgrading to Gigabit in spring/summer once fiber arrives in my neighborhood !
So i would like to at lease be able to consistently able to pass 500-750Mbit through the firewall.But then again...
At the bottom of the rack I have a 12KW Symmetra RM for the "just in case"... -
<snipped>Also it seems to me that most people on here are worried so much about power consumption and performance.
I for 1 know that that's impossible to get both in 1 unit !Routing, filtering and the rest of the roles that pfSense does, require a little bit of muscle if you want to go fast.
Now keep in mind that I'm on 250Mbit Service and upgrading to Gigabit in spring/summer once fiber arrives in my neighborhood !
So i would like to at lease be able to consistently able to pass 500-750Mbit through the firewall.But then again…
At the bottom of the rack I have a 12KW Symmetra RM for the "just in case"...</snipped>Power is a huge issue, as in many co-locations the rack space is now almost free and the highest cost is the power usage. For this reason we are running Pfsense on custom 1U boxes using a E3-1260L CPU, SSD disks, and low power RAM and high efficiency power supplies. We have managed to get power usage down to 68 watts while still pushing >4Gbps of traffic on a regular basis, and under 30 watts at night when PowerD can throttle it back to ~200Mhz.
The point of having monster Pfsense boxes for performance is a fallacy and is only for dick-waving purposes these days. FreeBSD combined with a modern CPU will easily beat the performance of the mightiest server CPU's from a few years ago, and once we get 2.1 and the AES instruction set even heavy VPN use won't be an issue on a desktop CPU.
Enjoy your ebay data center leftovers, fun stuff to play with, but it's on ebay for a reason - and that's because it has zero value in any modern DC facility.
-
I can only find references to it from 2008 actually.
Clearly not my best day Googling (or remembering) ::).
Also it seems to me that most people on here are worried so much about power consumption and performance.
I for 1 know that that's impossible to get both in 1 unit !That depends if you are running a rack of servers filled with Netburst Xeons for example. You could probably have 5-6 times the performance whilst consuming half the power by upgrading. An extreme example by you see my point.
One of the interesting things about pfSense is the wide range of usage scenarios it is deployed in. Everything from data center monsters such as this to home router replacements on passively cooled hardware.
Steve
-
I can only find references to it from 2008 actually.
Clearly not my best day Googling (or remembering) ::).
It might not be your fault since there are so few references to the platform as a whole and it isn't a device that most sites would post launch news about. It is possible that Mcafee updated the platform several times without actually using new model numbers or platform names.
Then again, there is no real reason to stick to that unit since newer platforms offer much better performance/ watt ratio. The main reason going for the M6050 is the comparative price of having 8 x 10GBe on the platform vs trying to buy 2 x Quad 10GBe NICs for a new platform. Those NICs will cost an arm and a leg.
At US$250 for the M6050, the cost difference of buying the NICs might actually pay off as compared to the power bill differences. However, this only holds true for as long as the OP actually needs multiple 10GBe interfaces which he will not be able to saturate on the pfSense platform. -
The main reason going for the M6050 is the comparative price of having 8 x 10GBe on the platform vs trying to buy 2 x Quad 10GBe NICs for a new platform. Those NICs will cost an arm and a leg.
At US$250 for the M6050, the cost difference of buying the NICs might actually pay off as compared to the power bill differences. However, this only holds true for as long as the OP actually needs multiple 10GBe interfaces which he will not be able to saturate on the pfSense platform.Which is what i want really…
My whole back bone is Dual 10GBe feeds ( LACP )
And my cable company started to pull the old cables out and they are feeding Fibre to the homes ( FTTP ) in my neighborhood which means 1GBe services is just a few months away !!!In the C7000 i have a 1:10 switch that gives me 4x 10GBe ports ( XFP ) and main switch is a Woven TRX100 with 4x 10GBe ( CX4 ) and the current firewall which I intend to upgrade from DL360 G4 ( 2x 3.6Ghz + 8GB RAM + 2x 72.8GB SCSI U320 Drives in Raid 1 ) with a Dual Port Melanox 10 GBe card.
That's 10x 10GBe links right there. I mean worst case and scenario ESXi will be the Routing/Switching and pfSense will be handling the Firewall / AV functions
EDIT: Crap forgot to check up on it and it go scooped from under my nose :/
-
Ooo too bad looked interesting. >:(
Back to trawling Ebay then. ;)
Steve
-
Ooo too bad looked interesting. >:(
Back to trawling Ebay then. ;)
Steve
LOL
Not big on that, but sadly it is the best place to get decent deals on retired Enterpise equipment that has more features than any home user would ever require.Still..
Hoping for IPoIB support in the near future as Infiniband cards are becoming cheap and for server to server is a nice touch to have :) -
Well :)
I have a TopSpin 120 on its way :P
set me back a whoopin $120+ ShippingThat gives me 24x 10Gb ports…
6 Servers with 2 ports each still only 12 + 2 Up-links for my TRX-100 and that still leaves me with 10 empty ports.Now if i just knew how to code the Mellanox drivers over would be great :)
