[c-nsp] Real life and worst-case performance of Cisco and Juniper?
Mark Tinka
mtinka at globaltransit.net
Fri Feb 27 10:36:50 EST 2009
On Friday 27 February 2009 10:08:02 pm Rick Ernst wrote:
> I'm looking at a network refresh and both Cisco and
> Juniper are on the radar. We are currently almost
> all-Cisco. The two platforms we are looking at are the
> Juniper M10i and the Cisco 7606/Sup7203BXL.
If you're looking at a much closer comparison, you'd be
considering the ASR1004 or ASR1006 from Cisco to match
Juniper's M10i platform.
> Our bandwidth needs are pretty modest; currently less
> than 500Mbs amd our packet consumption is about
> 75,000pps. I'm currently projecting over 1Gbs in about a
> year. Our existing gear (7200/7500/RSM) handles the load
> fairly well, but memory on the VIPs, RSMs, and older RSPs
> can't handle a full table. We also need to be able to
> absorb high pps DDoSes.
No experience with the 7500 platform, but depending on your
configuration, you could likely get 600Mbps to 750Mbps out
of an NPE-G2 positioned as an edge router.
However, as you mention, you want some protection against
DoS0-type traffic, so there isn't much headroom to work with
in that respect. Besides, you're not likely to hit 1Gbps of
routed traffic through the NPE-G2 either. Bottom line, the
ASR1000 series might make more sense here (but watch out for
feature support; things you're already running on your
7200's).
> Juniper seems to essentially claim that "you get whatever
> the platform is spec'd for, regardless of packet
> size/type" at ~4-8Gbs.
We've spoken to our Juniper account team about these figures
across their platforms. However, in actual practice for us,
I guess we haven't yet pushed the routers to their limits to
see this become an issue.
Yes, we are seeing far more tolerance than the 7200, but
then again the M10i is a hardware platform, so that's not a
fair comparison.
I'd suggest doing a PoC with your Juniper team as part of
your purchase requirements, and throw various packet sizes
at it and see if you are happy.
> Cisco claims 720Gbs
> (full-duplex?) and about 40Mpps on the 720 with DFC.
The advertised 720Gbps/400Mpps assumes v4 traffic at
40Gbps/slot in, at least, a 9-slot chassis (which means
fabric-enabled line cards running with DFC's installed
pushing that much traffic). So you may not actually get this
depending on how you populate each slot, how big your
chassis is, and whether you decide to have a redundant
supervisor engine. It doesn't mean the system isn't
delivering, however.
The whole full-duplex/half-duplex thing is "marketing stuff"
that gets in the way of technical capability. Grrrr...
someone else should probably get into that :-).
And yeah, v6 traffic supposedly halves that forwarding
capacity...
> Our border/core pretty much just moves packets, so I'm
> not too worried about the packet handling at that level.
> A large portion of our customer traffic is
> rate-limited/policed (hundreds of ethernet connections).
Pretty standard.
> Does anybody have any "Yeah, Juniper really does that"
> stories, or experience with how packet manipulation
> impacts the Sup720 performance? Essentially, what could
> the Sup720 handle if every packet hit the CPU? Does the
> architectural difference between the Sup720 and 7200/7500
> at least somewhat mitigate CPU impact with CAR/policing?
You don't want (transit) packets hitting your CPU. The
SUP720 supports some features in software; don't run them
there if it can be helped (which should be all the time).
Besides, word is if it's not done in hardware, it's not
supported.
Policing can be done in hardware on the PFC/DFC, so no need
to worry about that impacting your control plane.
As others have mentioned, consider the RSP720/MSFC4 instead,
for the 7600. I'd say look at an ASR1000 as it looks closer
to what your migration path might be, particularly if you're
looking to terminate leased lines too, in addition to
Ethernet.
AFAIK, Juniper, on the otherhand, don't generally punt to
software. If it's not supported in hardware, it won't work.
This means they'll offload some functions to specialized
line cards, e.g., tunneling, flow collection/export, e.t.c.,
for platforms that don't have integrated components that can
do this, or support them natively with limited
functionality, i.e., enough not to break the box. This
varies.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/c9e07016/attachment.bin>
More information about the cisco-nsp
mailing list