Hi, currently we have 3 providers coming in to our datacenter, each soon will be 1gbs fiber ethernet link. My question is, is it better to buy a Cisco GSR12000 router with 3ge ports or, buy a Cisco 6506 and use that as a core router/switch?
My main concearn is throughput, and ability to handle a DDOS attack if one does come in. We will be running BGP with all the providers and might be adding another 3 1gbs providers after that also. Also Can the cisco 6506 handle simple ip null routes/accesslists? I'd also like to setup a box to sniff the traffic with a gigabit span port.
Also the Cisco 6506 would be used to link up to our 5000 switches with gigabit fiber as well.
Kind of a dual purpose making it our core switch and router.
I'm unfamiliar with both of the these devices. If anyone has any suggestions on which might be better for the needs i stated above, please let me know.
I'm not sure on each of their backplanes/cpu horsepower.
The data sheets of these products should be able to provide the information regarding the throughput and performance figures. I think the 6506 can handle null-routes, and also it has a hardware based routing engine which can handle access-lists also at wire speed. It supports SPAN as well as RSPAN for sniffing traffic.
The datasheets actually don't really tell me which is better in my situation tho. We are using 7206 right now, which really stink during a dos attack. One of our 100mbs links continually goes down if their are too many packets for the router. It just simply can't handle it. That's why I wonder if a gsr with it's 200mhz processor can handle things compared to a switch. Which I don;t know the cpu of.
I called cisco to ask them what they think. It's been 5 days and still waiting for a call back.
You don't specify whether your 7206 is a VXR chassis, or which NPE you're using.
You should consider the NPE-G1 (3 GE ports) + a GE I/O.
This will give you 4 GE ports without using either PCI bus on the chassis, provided you're not pushing much more than 1 gig it should be cost effective.
Sorry, it's a 7204 VXR with a NPE300 engine. We have a secondary fastethernet on it as well. Our isp provides us with a 100mbs ethernet handoff.
We do have a NPE-g1 on a 7206VXR router as well, that has a 500mbs link on it from 1 provider. That link doesn't get doss'd often. Unfortunately the 100mbs one does. And I am just surprised at how fast the load on it rises with a dos attack.
We are looking to purchase either a GSR 12008 or a Cisco 6509 w/ sup 2 engine, and use that as a new core router. All our providers deliver to us eithr through 100mbs fastethernet or soon, 1gbs fiber connection.
The way I've done this is with multiple 7200's, each with 4 GE ports (+ some fast E/ SA VAMs/ T1s etc.) These then talk OSPF / iBGP to a 6500 (dual SupII with 512/512 RAM, quite happy with full BGP views).
I prefer this to having one big edge router, as it gives redundancy, I can reboot one router without interupting service, and it was cheaper.
We ended up going with a:
Cisco 6509, Sup 2 MFSC2/PFC2, 128mb model + 512MB dram for the mfsc2, 2x 8 port gigabits, and then 6348 48 port rj45 ports for the rest of the slots.
Initially this will be our single point of failure, but hopefully soon we can get another in and get some redundancy in.
Currently our 7200's just choke when they get hit with more then 100mbs of traffic with a npe-300 engine, and fast ethernet port. Our isp link is 100mbs on those.
However, our 7200 with npe-g1 engine (3gbs ports) can handle 300mbs of a doss without problems. We have a 500mbs link on their also.
I'm hoping to for now, put all providers on the 6509 and hoping it can handle a dos better. Plus it can be used as a great core switch.
Have you had any dos attacks that affected your 7200s? or does the 6500 take the attack for your network?
We get DoS attacks, nothing over 250mb so far - NPE-G1 doesn't even care (CPU goes from 30% - 45%)
Our 6500 CPU is in the high 80's - 90's all the time, we know we have too many features turned on, but even at 99% doesn't seem to drop packets. Keep an eye on your Supervisor RAM, with only 128mb you could get issues depending on you CEF table size. The 512MB sticks are only $500, why chance it?
The 512mb is only for the MSFC2, I don't believ we can upgrade the supervisor 2 engine beyond the 128mb it has.
We have the npe-g1 and it can take 300mbs dos decently.. Our router idles around 45-50% during peak times when it's pushing out about 200K packets/sec and 480mbs out, 50mbs in. I think it idles so high cause we have about 150 subnet gateway ips on the box :( Not very good i know. definately need to break up our network better.
Can the supervisor engine 2 for the 6500 be upgraded beyond the 128mb ?
If you are looking at purchasing a new 65xx chassis, you should really look into the Supervisor 720. If you are going to be investing this much $$$, why buy into 3+ year old supervisor technology...
Check out the data sheet, it has a great comparison matrix...
I'd say that 65xx/76xx is much more suitable for datacenter than 12K especially if you need just a few Gig or 10G connection.65xx/76xx also has a lot of nice QoS features in hardware.
At the moment you consider to put high-speed POS interfaces or really new MPLS things than 12K is probably more interesting for you.
BTW if you're going to run MPLS do not forget
you need PFC3b, MPLS had been broken on PFC3a.
I agree. I've decide to go with the 6500 with sup2 engine, 1 x 8 port gigabit module, and rest will be 6348 - 48port 10/100ports for the server. THanks for all the info.
Do you know how to do the qos rate limiting? The qos policies is a bit confusing for me. Looking for a simple config to set ports down to specified speed.