[nsp] Re: 7600 on the edge

sthaug at nethelp.no sthaug at nethelp.no
Mon Apr 21 16:37:35 EDT 2003 

> Thanks a lot for this. Now if you don't mind I'd like to throw a few more
> vegetables into this stew.
> 
> What about:
> 
> - MPLS support with "traditional" GE cards, with no OSMs or SFM?

Will be available with Sup720. As far as I understand you can order the
Sup720 today, but the IOS version which supports MPLS using traditional
GE cards isn't available yet. So far we are using the 4 port GE-WAN
OSMs for MPLS support (with a VLAN trunk from a traditional GE port
to a GE-WAN port on the same box - clumsy solution but it works).

> - FlexWAN modules, in particular with POS OC3 and ATM OC3 modules?

We're running FlexWAN with channelized STM-1 (PA-MC-STM-1), works fine
for us. No experience with POS or ATM in the FlexWAN. Since FlexWAN
is basically a VIP (with one processor per PA), I expect it'll work as
well as it does in a 7500.

> - Behavior under DoS attacks, especially coming via port on FlexWAN? 

It's possible to drive the CPU on the MSFC2 to a very high load if you
have a DoS attack against the 6500/7600's own IP addresses. With a
sufficiently high load, it'll start dropping protocol keepalives etc,
with bad consequences for your OSPF, BGP etc sessions. (This is really
the expected behavior as long as the IP addresses can be DoSed, I
suppose.) Fortunately, 6500/7600 is very good at hardware ACLs, so
you can protect the IP addresses of the box that way - though it can
be somewhat of a PITA when you have many IP addresses and IP receive
ACL isn't available.

We haven't really had any DoS attacks coming in on our FlexWAN ports
yet, so no direct experience there. Again, I expect it'll work fairly
similar to what it does on a 7500 VIP.

> - Netflow support - does v5 work fine?

We're still using v5 on the MSFC2 and v7 on the PFC2 - works fine
with flow-tools (http://www.splintered.net/sw/flow-tools/). No direct
experience with v5 from the PFC2 (available starting with 12.1(13)E).

One thing to note about Netflow collection - the "Earl NDE Task"
process uses quite a bit of CPU. If we had 10 times the traffic
through our 6500s/7600s as we do today and did Netflow on all of it,
I'd start getting worried about the total CPU usage on the MSFC2.

> - SNMP counter bugs?

32 bit counters GE-WAN subinterfaces don't work (CSCdz11711). 64 bit
counters are okay though. Aside from that, I haven't noticed any SNMP
counter bugs.

> - How does the fact of enabling MPLS while carrying full routing table
> affect the TCAM?

We have separate 6500s (no OSMs) for our Internet peerings - our 7600s
running MPLS don't have full routing tables. That said, I don't *think*
running MPLS affects the TCAM at all (mostly done on the OSMs). Would
be nice to have confirmation from Cisco though.

> I'm also a bit concerned about the absence (for a good reasons) of S stream
> on this platform.

12.1E has been working fairly well for us - but I must admit I'm looking
forward to being able to run 12.2S on all our most important routers.
We've already starting pushing 12.2(14)S1 on our 7206 PE routers.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the cisco-nsp mailing list