Excellent...thank you very much for this info. This is exactly the info I needed. One last question, how do I verify in the router config that we are running in Fast/CEF Switching and not Process Switching?

Hello Rob,

there are different ways to do this

try to enable it in global config mode

conf t

ip cef

check ip interfaces with

sh ip interfaces

look for the flags line

sh ip interfaces | inc lags

if CEF is there it is used (notice you can see also the fast flag but this is not a problem)

then there are the cef related show commands like

sh ip cef option

sh cef (not sure in 3825 )

there are a lot of options for this show.

About performance:

be aware that if you add features like QoS and others like anti-spoofing ACLs the performance will be reduced the C3825 is software based one cpu for all.

Hope to help

Giuseppe

I did just check the router config...it is using Fast/CEF switching...but I did see about 17 ACLs to block SNMP traffic and probably other are just anti-spoofing. So the next question is if I have ACLs is the CPU automatically reduced to the 20-25mbps or do you need a lot of ACLs / service to reduce the CPU speed? Below are the ACLs

access-list 10 permit x.x.x.x 0.0.0.63

access-list 20 permit x.x.x.x 0.0.0.63

access-list 99 permit x.x.x.x 0.0.0.127

access-list 100 remark Reject SNMP from Internet

access-list 100 deny udp any any eq snmp

access-list 100 deny udp any any eq snmptrap

access-list 100 remark Basic Traffic Filtering

access-list 100 deny icmp any any redirect

access-list 100 permit icmp any any

access-list 100 remark Reject RFC 1918 Addresses

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

access-list 100 deny ip 172.0.0.0 0.31.255.255 any log

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

access-list 100 remark Reject Multicast Traffic

access-list 100 deny ip 224.0.0.0 0.255.255.255 any log

access-list 100 remark Reject Spoofed Source Address

access-list 100 deny ip x.x.x.x 0.0.0.255 any log

access-list 100 permit ip any any

One last thing, since the spec sheets refer to not having any services enabled on the router to achieve those performance numbers, which we dont have any services running except for BGP...would BGP be considered a service and reduce the speed to the 20-25mbps cap?

All services, including dynamic routing protocol maintenance, consume some CPU. Most though, except for extremes, don't normally consume too much. The "20-25mbps cap" to which you refer might be related to process switching.

As to your original question, a 3825 is a bit inadquate to guarantee 100+ Mbps duplex. Besides the issue that Giuseppe mentioned that you need to allow for duplex forwarding, you should also allow CPU for other services and provide for a CPU processing reserve cushion (I recall Cisco suggests about 1/3.[?])

Depending on your feature needs, a L3 switch, such as the 3750E suggested by Giuseppe, might be used instead of your 3825, although the 3750 Metro Series, or a LAN 3560/3750, for example the 3560-8PC, might be quite sufficient too.

If you want to stay with a software router, the 3845 might be "just enough", although the 7301 would be the "safe bet".

Also, do know that router's effective performance tends to increase with average packet size. I.e. a 3825 might suffice for your routine 100 Mbps usage, it's just that it can not guarantee that level of performance all the time.

I agree, full duplex at 100mbps would make the 3825 too small. But the vendor will only give a CDR of 100mbps total...so if we send a 100gb file in each direction, we will only have 50mbps in each direction. With that being said...the 3825 shoud be fine....even with a few ACLs for protection against internet spoofing.

Let me know if you feel otherwise.

-Rob

"CDR of 100mbps total", eh? Yes, I think the 3825 could likly well handle that, especially in such a case as "if we send a 100gb file in each direction". The latter because such a transfer would likely (and should) utilize MTU and that's generally when you obtain your best forwarding perfomance.

However, we've been focused on your "new" 100 Mbps, but there's still the other 20 Mbps to keep in mind. (Probably still enough CPU, but if the 20 is full bandwidth, and with 50 CDR, we're now up to 70 duplex.)

Further, you might want to clarify what the provider means by "CDR" and what happens if you exceed it. If they police at the 50 Mbps level, you might want to shape. If you don't shape, and if the circuit is physically 100 Mbps, you're router can still attempt to physically transmit at that level (duplex) which could still run your CPU to 100%. (Or perhap not if provider does police, you could still send 100 Mbps out, but shouldn't receive more than 50 Mbps in.) If you shape, it would be a service that will tax your CPU some. (You could also police which seems to use less CPU than shaping, in my experience.)

Not 100% positive, but besides the obvious issue of hitting and substaining 100% CPU (i.e. might be unable to support offered traffic load), believe software routers might sometimes become a bit "unstable" (better with later IOSs?).

Again, though, for your actual traffic, your 3825 might be just fine. Since you already have one, you could certainly try it. It's your traffic and your configuration that will determine actual CPU loading. Everthing else is generalization. Also in general, 3825 performance is close enough to your requirements such that I don't think you place your production traffic at high risk for trying it.

The other 20mbps only kicks in when the 100mbps is offline...BGP. There is no load balancing or sharing with the 20mbps. The circuit being brought in is fiber. The provider is definitley policing the amount of traffic. This is not a burstable circuit so it is capped at 100mbps...the CDR.