[c-nsp] Network Upgrade

[Simon Leinen]

Paul Stewart writes:
> Looking at upgraded our core network.  Currently have a pair of
> 6500's doing BGP (Sup2/MSFC2) and edge routing.  Looking to offload
> the BGP portion onto a GSR,

That's wasn't your question, but I wonder why you want to offload BGP
onto a GSR.  GSR doesn't do BGP any better than OSR, oops sorry
Cat6500, and even though I realize that GSRs can be gotten cheap, it's
still an additional box with all kinds of costs - just think about the
power consumption.  But I digress.

> but at the same time do some firewalling on the 6500's.  This would
> be hopefully using IOS FW feature set and basic access-lists.  For
> low traffic, does this work ok and/or have a major CPU impact?

That depends on what you mean by "basic access-lists".  The Catalyst
6500 handles most classical/static (non-reflexive etc.) ACLs in
hardware (ASIC/TCAM), as long as they fit.  Are we talking about
dozens, hundreds, thousands or rules here?

If you need "stateful" capabilities (e.g. reflexive ACLs), then doing
those without some kind of firewall blade WILL incur some CPU hit on
the MSFC.  Note that I'm not saying that ALL packets will be switched
"in software", I assume only those packets with the potential to
update the hardware ACLs (i.e. first packets of a "flow"), but since I
personally stay away from this kind of situation I really don't know.
But I'm sure that AT LEAST such packets need to visit the MSFC.

> The budget doesn't support buying a pair of FW blades... so hoping
> we can just do it in software.  Total traffic through each switch is
> 100 Mb/s maximum to put it in perspective..

With static ACLs that will certainly work, no sweat.  With reflexive
ACLs and no firewall blades, I would guess this depends either on the
connection (flow) setup rate, or on pps.

In case what I wrote is bullshit, I sincerely hope someone will
correct me.
-- 
Simon.