[c-nsp] 7200 vs. 7600

Ryan O'Connell ryan at complicity.co.uk
Tue Oct 5 19:24:19 EDT 2004


On 05/10/2004 23:00, F. David Sinn wrote:

> The Sup720 with the 3BXL will be more then capable to handle a full 
> route table in the TCAM on the PFC.  Just make sure you have enough 
> DRAM (128Meg's +) to handle multiple BGP feeds.  That being said, a 
> Sup2/MSFC2 can take full routes too, though not if you also want 
> uRPF.  uRPF is also a PFC enabled feature, so you should be good there 
> on the 3BXL.


I forget the details, but I dug out some reference saying it was only 
PFC-less Sup1As/Sup2 or similar with <256k TCAM entries. (Although 
having just read that uRPF halves the available TCAM entries I'd better 
recheck this - but I seem to recall the Sup720 having 512k or 1M entries 
or similar.) I'd not even consider deploying a BGP speaking router these 
days with <256MB RAM, and I always spec 512MB on new installs so that'll 
be OK.

> Normal extended and named ACL are supported on the PFC and with the 
> 3BXL you can get hit counters again.  Not sure what you were meaning 
> by more complex.


I wouldn't expect any ACL matching on something that's not in a full 
NetFlow table (E.g. SYN flags, packet size) to be hardware-switched - 
although so far I'm impressed with the Sup720 so it may be able to do 
even this.

> Netflow can be an issue if you have too many flows, in that you can 
> blow out the Netflow TCAM cache.  I haven't tested the real to 
> advertised flow cache ability of a 3BXL, but have seen issues with the 
> PFC2 which has half as many entries.  Ad servers and others that lots 
> of tiny flows normally are the spots you will see this.


I'm using Netflow heavily for reporting and tracking DoS and similar, 
although I can always drop down to src/dst only if required.

Thanks.

> On Oct 4, 2004, at 12:32 PM, Ryan O'Connell wrote:
>
>> On 04/10/2004 18:52, F. David Sinn wrote:
>>
>>> What Supervisor are you looking to use in your 7600?  That will 
>>> determine some of the answers to your questions below.
>>
>>
>>
>> Sup720-3BXL, specifically to start with:
>> C7609-SUP720XL-PS
>> WS-CAC-4000W-INT (Second PSU)
>> WS-X6548-GE-TX (For peering/transit connections and connections to 
>> access-layer switches)
>> OSM-4OC3-POS-SI+ (For aggregation/leased line termination)
>>
>>> The only one that is consistent is the re-use of dot1q tags.  Since 
>>> the 7600 is a ethernet switch at heart, using the same tag on two 
>>> interfaces puts them on the same broadcast domain.  Also, I don't 
>>> believe that they have implement the physical sub-interface style of 
>>> configuration for dot1q as the regular routers do, so you would have 
>>> to migrate to VLAN interfaces to support dot1q (please correct me if 
>>> this has been fixed).
>>
>>
>>
>> Not sure I follow in terms of "VLAN interfaces"? Do you mean you can 
>> only do:
>> interface GigabitEthernet1/1
>>  switchport
>>  switchport mode trunk
>>  switchport trunk allowed vlan 111,222
>> !
>> interface VLAN111
>>  ip address 111.111.111.111 255.255.255.0
>> !
>> interface VLAN222
>>  ip address 222.222.222.222 255.255.255.0
>>
>> But not:
>> interface GigabitEthernet1/1
>>  no ip address
>> !
>> interface GigabitEthernet1/1.111
>>  encapsulation dot1q 111
>>  ip address 111.111.111.111 255.255.255.0
>> !
>> interface GigabitEthernet1/1.222
>>  encapsulation dot1q 222
>>  ip address 222.222.222.222 255.255.255.0
>>
>> I can cope with that, as long as features such as BPDU filter are 
>> still available on ports configured as switchports. (I.e. I don't 
>> want customers/peering partners seeing BPDUs, CDP etc etc. and I 
>> don't want them sending me similar and breaking things)
>>
>> I've heard mention that the TCAM table on the 7600s can't handle a 
>> full routing table - however, I've been unable to verify this so I 
>> suspect it applies to Sup2s/MSFC2s and below only.
>>
>>> On Oct 3, 2004, at 1:49 AM, Ryan O'Connell wrote:
>>>
>>>> Looking at the second hand cost of 6500/7600 parts vs. 7200s, 
>>>> they're very well priced so I'm considering 7600s instead of 
>>>> upgraded/additional 7200s with NPE-G1s for a forthcoming network 
>>>> upgrade.
>>>>
>>>> However, I'm aware there are some things a 7600 can't do that a 
>>>> 7200 with trunks to a lot of attached switches can. The ones I'm 
>>>> aware of are:
>>>> - It appears you can't (usefully) do anything ADSL/L2TP related on 
>>>> the 7600. (Which means you can't terminate an ATM circuit from a 
>>>> provider on it and use it as an L2TP Tunnel Switch, nor can you 
>>>> terminate L2TP circuits on it)
>>>> - You can't use the same dot1q encapsulation on two seperate 
>>>> interfaces, even if they're configured as Layer 3 interfaces.
>>>> - I presume the same restrictions on ACLs apply as when using 6500s 
>>>> with MFSCs in Hybrid mode. (I.e. src/dst port/ip can be 
>>>> hardware-switched, if you put anything more complex in there it's 
>>>> going to be process-switched and kill the CPU)
>>>>
>>>> Is everything else possible? Features I'm using excluding ADSL at 
>>>> the moment are pretty basic ISP ones - BGP, OSPF, SPAN, ip verify 
>>>> unicast reverse-path, ACLs, BPDU filter, (Which I guess I won't 
>>>> need on 7600) Leased Line aggregation, (PA-MC-STM-1MM, but that 
>>>> could stay on a 7200) Netflow and some fairly basic rate-limiting 
>>>> on some (troublesome) customers ports. I'll probably also need 
>>>> Multicast soon and IPv6 "sometime".
>>>>
>>>> -- 
>>>>         Ryan O'Connell - CCIE #8174
>>>> <ryan at complicity.co.uk> - http://www.complicity.co.uk
>>>>
>>>> I'm not losing my mind, no I'm not changing my lines,
>>>> I'm just learning new things with the passage of time
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>
>>
>> -- 
>>         Ryan O'Connell - CCIE #8174
>> <ryan at complicity.co.uk> - http://www.complicity.co.uk
>>
>> I'm not losing my mind, no I'm not changing my lines,
>> I'm just learning new things with the passage of time
>>
>


-- 
         Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time



More information about the cisco-nsp mailing list