[c-nsp] Cisco core router (for smaller sized colocation provider)
recomendations please
Pete Templin
petelists at templin.org
Mon Jan 23 18:59:35 EST 2006
josh harrington wrote:
> [Carrier 7609] --> 100 mbit --> Our cisco 7206 --> 100 mbit --> racks
>
> [the racks on our end are a series of switches, mainly 2948gl3's]
I wonder if the 2948gl3 isn't the major part of your problem. :)
> To date we have had 2 problems, both were DOS attacks launched FROM one of
> our customer's servers flooding a full 100 mbit wire with more packets per
> second than the router could handle (the 2948gl3's spiked to about 50% cpu
> load during the attack but the 7200 literally just died for 3 minutes as the
> interface(s) all rebooted]. So our main goal to grow is something that can
> handle a lot more in this arena against a DOS, and handle our future growth.
Best bet is something that can forward in hardware, or as close to it as
you can come.
> In then next 12 months we plan to add a 2nd carrier, at t3, 100mbit, or
> possibly oc3 speed, and possibly upgrade our main carrier to a GigE
T3 or OC3 could spell problems for the MSFC2 solution below.
> ==== Problems/Requirements ====
> - Budget is in the $5k to $20k range ($20k if its going to outlast me even
> past my 12 month projections)
> - must not 'collapse' under simple packet flow DOS attack
> - must handle BGP4 from 2 carriers with full route tables
> [option #1 - Cisco 7206 VXR]
- This unit uses "software" forwarding on the general-purpose CPU. Most
flexibility for features (ASIC limitations don't crop up here), but most
vulnerability to meltdown under DOS.
- Full routing tables from 1+ carrier means your CPU will be busy for
2-5 seconds every 60 seconds, adding latency every time that CPU is busy.
> [option #2 - Cisco GSR (12008)]
- You need a GRP-B or better on your hardware manifest to actually use
this box.
+ The GRP-B, PRP-1, or PRP-2 handles all routing updates; no risk of
per-minute latency as above.
+ Packet forwarding is pushed out to the line cards.
+ Much better flexibility for TDM (DS3, OC3, OC12, etc.) services.
+ IOS for GSR is strongly following the "S" train, which is very
centered around ISP-desired features.
- Some line cards use their (local) general-purpose CPU for packet
forwarding. Much higher capability than 7200 though, as each line card
brings its own packet forwarding capability.
- AFAIK, there is no 4FE, only 8FE. It's Engine 1, so definite ACL and
QoS limitations.
- 4xOC3 is Engine 0, so definitely gpCPU bound but a decent card if you
keep it below 250Mbps per card.
I upgraded my core routers to these ~4 months ago. Some growing pains
because of MPLS in our network, but otherwise these are really
impressing me.
> [option #3 - Cisco 6509 switch'router' w/MSFC2]
> ------------------------------------------------------------
+ Yes, MSFC2 can handle full BGP. It can process BGP updates VERY
quickly, and it was very good at this.
- Someone else just pointed out that your hardware manifest lists Sup1A.
Don't do Sup1A, run far, far away.
- Support for Sup2 will likely fade as the Sup720 has so much more power
than Sup2, and Sup32 surpasses Sup2 by a mile for more switching-centric
deployments.
- You'd better get very familiar with the platform before you put it in
your network; it's not just a router, and you don't appear to be in a
good position to get a spare lab unit.
+ You CAN use your 7200 PAs in a flexWAN module, but I wouldn't
recommend it. It IS a switch, after all.
- The only counters that will be anywhere close to useful will be the
per-port SNMP traffic counters. You won't be able to tell if ACLs are
working, as you won't see the traffic passed/dropped unless the MSFC
directly handles the packet.
- Rate-limiting only works inbound.
Of the three choices above and with the possibility of DS3 or OC3,
option 2 is the ONLY choice I'd consider. If DS3/OC3 aren't a concern
(i.e. Ethernet ONLY) and the budget permits, I'd do a 6509 with Sup720.
pt
More information about the cisco-nsp
mailing list