12000 ACL issue

Rubens Kuhl Jr. rkuhljr at uol.com.br
Sun Oct 21 18:49:27 UTC 2001



> > Sup2(6500 or 7600) is not demand-based, there is no flow-based
> > forwarding on it; it can actually go that far, but you are right about
> > past (and most of current) Cisco claims.
>
>Please consult your favorite knowledgeable Cisco employee and try again.

As an early adopter and victim of 6500, the need for survival find the way 
to knowledgeable Cisco employees and knowledgeable admins/architets of 
networks with their own (different) paths to Cisco internals.


>Understanding the 6500/7600 product matrix and its effects on forwarding
>tables is a pain - but required knowledge for successful implementation.

The product matrix today is rather simple: use Sup1 only for L2 activity 
(Consider Sup2 if you want VLAN ACLs and QoS), use Sup2 for all L3 
activity, consider x-bar if you need more than 15 Mpps, consider DFC if you 
need more than 30 Mpps.

Understanding the forwarding process of a device is crucial to network 
engineering; for instance, with 6500/7600 you should look carefully at the 
non-equal traffic distribution among parallel paths. With an M-160, you 
should try avoiding packet misordering, and so forth for every product of 
every vendor.


>There is a reason why CEF is configurable, and the DFC is an optional
>"card".

CEF is mandatory with Sup2, and was with Sup1 although MLS took most of CEF 
pros and cons out of the loop.

> > In order to have 30 Mpps inside 15Gbps traffic, packet size
> > on the line
> > would be 62.5 bytes and no silence between packets would be allowed.
> > When preambles and inter-frame-gaps are included, bottom line traffic
> > would be higher, and real packet size distribution would make
> > it usable
> > for up to lot more traffic.
>
>Actually 30 Mpps comes from how the 6500/7600's data bus works - 256 bits
>wide @ 62.5 Mhz = 16 Gbps (real numbers - Cisco states 32 Gb/s due to their
>creative accounting). 64 Byte frame takes 4 clock cycles (64ns) to get
>through the box (at minimum). With that you get 15 Mpps. That is base
>functionality - add x-bars, DFCs, x-bar enabled cards, etc, etc, and YMMV.
>But regardless.. the larger the frame the smaller the number of pps.

Not in the x-bar system (Sup2, switch fabric, all x-bar enabled cards), 
where Sup2 receives only the packet header (up to the point of L4 port 
info); this compressed mode of operation is required to achieve 30 Mpps. 
The same strategy is used on M- routers, where IP II receives only the 
first J-cell of the packet.

> > As this thread was started by ACL issues, are the 50/90/150 Mpps boxes
> > you mentioned capable of ACLs at these line rates ?
> > What other beasts besides IP II, Sup2, Eng 3 and Eng4/edge can handle
> > high-rate ACLs ?
>
>There are many vendors in the world that do line rate ACLs those speeds. I
>believe one vendor showed off 172mpps with ACLs at a tradeshow recently.
>Think it was about 50% of the cost of a 6500 also. But I could be wrong.

I really would like to see those products and review their architetures. So 
far, what I saw in every product except those above was:
- Demand-based forwarding, where the first packet of a flow goes to the 
"processor-path";
- Processor-based ACLs, where L3 forwarding with no ACLs go "ASIC-path" and 
ACLs go "processor-path".


Rubens Kuhl Jr.




More information about the NANOG mailing list