Re: [nsp] questions on 4006, 6509 *SFC cards

From: Ryan O'Connell (ryan-nsp@complicity.co.uk)
Date: Wed Apr 17 2002 - 15:35:47 EDT

Next message: kevin graham: "[nsp] 7000/7500 architecture resources"
Previous message: Zach Wilkinson: "RE: [nsp] questions on 4006, 6509 *SFC cards"
In reply to: K.A. Long: "[nsp] questions on 4006, 6509 *SFC cards"
Next in thread: kevin graham: "Re: [nsp] questions on 4006, 6509 *SFC cards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

On Wed, Apr 17, 2002 at 10:12:22AM -0400, K.A. Long wrote:
> Can a 4006 RSFC and 6509 MSFC support IPSEC and
> GRE Tunnels for VPNs?

If you mean routing the tunnels through these devices - it's just IP traffic
so they don't care and will route it as with any other traffic. Based on other
comments you made, I suspect that's actually what you're after. However, you
don't want to put your routing devices (MSFC/4000 Layer 3 cards) in the VLANs
that the "insecure" traffic is on, otherwise users can get on and off the
VLAN without going through the firewall. Ideally, the VLAN for the wireless
users should extend all the way to the firewall(s) and that should be the
only way off the VLAN.

If you mean terminating the tunnels on the devices, I wouldn't recommend it.
The MSFC processor is a 200MHz R5000, which is the same as a 7200 NPE-200 -
without hardware acceleration, it's not going to handle the load well. The
4000 layer 3 card has a R5000 processor too but I'm not as familiar with them
and I can't find a reference on how fast they are, but it's not going to be
much more. The MSFC and Layer 3 cards rely on hardware tricks (ASICs and
Multi Layer Switching - MLS) to switch packets at the speed they do and
aren't really that fast on their own.

Incidentally, the 4006 Layer 3 card isn't called an RSFC as far as I'm aware.
Everything I've seen refers to it simply as a "Layer 3 card".

> Can GRE tunnel IP's be virtual interfaces (like Loopback0)?
> and if so,
> What is the maximum number of virtual interfaces that
> can be configured on a 4006/6509 RSFC/MSFC?

There's no reason you can't do "ip unnumbered loopback0" on a tunnel interface
that I can see. You're probably limited by the maximum number of interfaces
on the box in terms of loopback interfaces - CCO suggests 3000, although I've
never seen a box with more than two loopback addresses on it so there may
be some other limit you run into first.

-- Ryan O'Connell - CCIE #8174 <ryan@complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines, I'm just learning new things with the passage of time

Next message: kevin graham: "[nsp] 7000/7500 architecture resources"
Previous message: Zach Wilkinson: "RE: [nsp] questions on 4006, 6509 *SFC cards"
In reply to: K.A. Long: "[nsp] questions on 4006, 6509 *SFC cards"
Next in thread: kevin graham: "Re: [nsp] questions on 4006, 6509 *SFC cards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:12 EDT