Re: [m0n0wall] Re: ipsec vpn starts one-way

From:	Joe <j dot commisso at verizon dot net>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Re: ipsec vpn starts one-way
Date:	Sun, 20 Apr 2008 22:04:52 -0400
Fred,
I removed the nic setting and now it is back to defaulting to
half-duplex.

I did some wiki research on what you said and the consequences of a
network slowdown are chilling since I can't repair something like that
during the day due to my job.

Apparently, collisions are not that evil, as you state.

We're going to have to get a system in place with better hardware.

In the meantime, would you suggest putting the 10base nic on the WAN for
better performance?

Thanks again and I also learned some valuable information on this issue
that I think will solve a different problem that I had recently
regarding a network slowdown. So you and Neil did help me.

Joe


On Sun, 2008-04-20 at 10:23 -0700, Fred Wright wrote:
> On Sun, 20 Apr 2008, Joe wrote:
> 
> > Neil,
> > 
> > You da man!
> > 
> > * The switch is not managed. It is an inexpensive D-Link 24-port.
> > * I checked the capabilities of the LAN nic which is as follows:
> > 
> > $ ifconfig -m
> > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > 	options=9<RXCSUM,VLAN_MTU>
> > 	capabilities=49<RXCSUM,VLAN_MTU,POLLING>
> > 	inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
> > 	ether 00:01:02:73:a3:9e
> > 	media: Ethernet 10baseT/UTP <full-duplex>
> > 	status: active
> > 	supported media:
> > 		media 10base2/BNC
> > 		media 10baseT/UTP mediaopt full-duplex
> > 		media 10baseT/UTP mediaopt half-duplex
> > 		media 10baseT/UTP
> > 
> > I downloaded the config.xml file and edited the interfaces/(if)/mediaopt as follows:
> > 
> > <mediaopt>full-duplex</mediaopt>
> > 
> > I uploaded, it rebooted, and came up as full duplex!
> > Full duplex should give our users a better experience.
> 
> No it won't.  Unmanaged switches have no means to set the duplex mode
> other than via autonegotiation.  10Mb NICs don't support autonegotiation,
> which means that the corresponding switch ports default to half duplex,
> with no means to override the default.
> 
> By setting the NIC to full-duplex, you've now created a duplex mismatch.  
> All NIC->switch packets that would have gotten collisions will now just be
> dropped.  The NIC also won't wait for incoming packets to complete before
> sending, so the switch-side collision rate will be *increased* (though
> there's no way to see the stats on an unmanaged switch).
> 
> For all practical purposes, full duplex is not usable on 10Mb NICs with
> unmanaged switches.  And a 100Mb NIC is a lot cheaper than a managed
> switch.
> 
> It is almost NEVER a good idea to force the duplex mode manually.  The
> peformance penalty from a duplex mismatch is orders of magnitude worse
> than the performance penalty from half duplex.
> 
> Bob Metcalfe has stated that he regrets using the term "collision" in
> Ethernet, because so many people automatically assume that "collisions"
> are evil, rather than being a normal part of CSMA/CD behavior.
> 
> 					Fred Wright
> 
>