[c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?
Anton Kapela
tkapela at gmail.com
Thu Dec 29 20:44:18 EST 2011
On Wed, Dec 28, 2011 at 1:30 AM, Reuben Farrelly
<reuben-cisco-nsp at reub.net> wrote:
> Hi guys
>
> Is GRE tunnelling supported on this platform?
Yes, but the cpu-switch asic interface is *not* fast. you'll see
~1mbit usable through it (same as on 3550, 3560, 3750). these are "not
good" devices for this need. if you needed low impact out of band,
tftp/ftp access for a remote pop you're turning up, or bgp/isis/ospf
routing of some internal space over island-ed transit, sure. but not
transit bits or production traffic.
The 4948, or a cat4k chassis + sup4 or sup5 will you ~92 mbit usable,
as their cpu--switch asic appear to have ~100 mbits usable, and GRE
happens in software on a 333mhz+ powerPC cpu, making it roughly as
quick as NPE-225.
> We've a need to run GRE tunnels for a URL filtering solution at our Head
> Office from outside the firewall, and policy routing + GRE is the only way
> this can be set up with the upstream vendor.
>
> [Pretty sure policy routing is not supported on this platform yet also but
> confirmation of this would be good as well].
Like the 3550/3560/3750 family, policy routing support is a tcam + sdm
carving option on the ME's in question (google 'sdm prefer'). I have
not tested/tried matching L4 parameters on these platforms, but L3
matches appear to work indeed. Of course you lose FIB capacity by
enabling this support.
One would be better off, imho, using wccp v2 to redirect
selected/registered traffic to the off-net filtering/etc appliance
than PBR tricks or tunnels. Of course, you may end up needing both
wccp and gre, in which case, look to cat4k for something approaching
reasonably fast/usable/affordable.
-Tk
More information about the cisco-nsp
mailing list