Cisco 7600 (7609) as a core BGP router.
saku at ytti.fi
Sat Jul 18 07:37:33 UTC 2009
On (2009-07-18 05:12 +0000), deleskie at gmail.com wrote:
> The only issue I have I with your reply is that is somehow still acceptable to not have these features in a core device.
I'm guessing point Roland was making (which he likely would have not made
couple moons ago:) was related to the lack of IPv6 uRPF, chassis wide uRPF
mode and IPv6 ACL either have /128 look-up and no L4 lookup or L4 lookup
and accordingly reduced lookup, forcing longer prefixes to software
(compression removes bits 24-39 from hardware).
In practice this means, if you enable compressed mode, to allow L4 lookups
in ACL, and you likely will (how else are you going to protect server, if
you can't allow MGMT/ssh and internet/http and drop rest?) you will need to
take care that you never do 'host 2001:db8::1' but stay within the
boundaries. Typically this is non-issue, as you have rather large subnets,
and typically inside this subnet there is same security policy, that is,
all hosts can use same ACL.
It is easy to verify if particular ACE from ACL line is in hardware or
is punted, so it will be easy to fix it, before going live.
This is still definitely something you need to consider. I'd agree that no
IPv6/uRPF is rather show-stopper for longer term edge use, but I don't
think the IPv6/ACL is deal-breaker. In core I personally have no use
for uRPF or ACL, as I'm not facing customers in core.
EARL8 (Nexus7k) fixes the IPv6/uRPF and IPv6/ACL issue.
Someone mentioned the ACL TCAM, planning its usage is also important you
can use 'shot tcam counts' to see the resource usage. Pay particular
attention to 'LOU' usage (which is used for gt/lt/neq/range operators, and
is hence somewhat expensive). But knowing the limitation and how ACL lines
are compiled to ACEs makes it typically easy to scale as far you need to.
> ------Original Message------
> From: Roland Dobbins
> To: NANOG list
> Subject: Re: Cisco 7600 (7609) as a core BGP router.
> Sent: Jul 18, 2009 1:09 AM
> On Jul 18, 2009, at 4:30 AM, Steven King wrote:
> > We use the 7600 platform as a Customer Border device.
> The 7600 is actually quite a poor choice as an edge device (any edge)
> due to its caveats regarding NetFlow, ACLs, and uRPF. It's far better
> suited to a core role, where it can handle mpps running without the
> need for these critical edge features.
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> Unfortunately, inefficiency scales really well.
> -- Kevin Lawton
> Sent from my BlackBerry device on the Rogers Wireless Network
More information about the NANOG