[c-nsp] Real life and worst-case performance of Cisco and Juniper?

Mark Tinka mtinka at globaltransit.net
Fri Feb 27 11:13:31 EST 2009


On Friday 27 February 2009 11:08:12 pm Rick Ernst wrote:

> - What device would you use for upstream/core
> connectivity that would be able to withstand high pps
> DDoS?

Depends on:

a) how much bandwidth/pps you hope to handle
b) what switch fabric you have

We don't like giving vendors "free" money, so...

If I had to guess, I'd say, from Cisco, start off with an 
ASR1002 for the upstream, and take it from there. From 
Juniper, look at the M7i here.

For the core, I'd say consider an ASR1004/6 and work your 
way up from there. From Juniper, consider an M10i.

> - What device and features would you use to terminate
> hundreds of rate- limited ethernet connections?

Apart from 802.1Q VLAN's, policers, QoS, routing protocols, 
e.t.c., the rest of the features depends on what you want to 
achieve.

As for the device, again, not sure what your traffic levels 
are, but if you're looking at hundreds of Ethernet 
connections, a 7609-S from Cisco sounds good (if an ASR1006 
trunked to a couple of 3560G's is out of the question). Some 
folk may recommend running switches as routers, but we tend 
to like real routers doing that...

From Juniper, for hundreds of Ethernet connections, take a 
look at their MX480 router (if an M7i/M10i trunked to a 
couple of EX3200's is out of the question). Again, some folk 
may recommend running the EX3200's as routers, but...

> Both devices would need to be able to handle full tables.

Precisely why the low-end so-called "Layer 3 switches" 
shouldn't be run as full routers. Otherwise, the other 
options are good to go.

Again, these are just my opinions. You probably want to 
study your needs more, talk to your account team, run some 
PoC's, e.t.c., and not pay any real attention to what I'm 
saying :-).

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090228/da938cbc/attachment.bin>


More information about the cisco-nsp mailing list