07-06-2009 08:04 PM - edited 03-04-2019 05:20 AM
I would like to confirm an equipment config we will implement utilizing some specific Cisco equipment and a new high-speed WAN circuit. Currently we have a 20mbps and 6mpbs circuit coming into our environment (Ethernet handoffs) that we have front ended with a 3825 for BGP support. Our BGP is strictly route advertising and not evaluating every packet. We are upgrading to a new 100MBPS fiber circuit (Ethernet handoff) to the same 3825 and removing the 6mbps circuit, so we will BGP the 100/20 mbps circuits. The 3825 will be able to handle the higher speeds?
It is my understanding since we are simply monitoring routes (a single default route) to offer BGP support the 3825 can support speeds up to 180mbps?
Solved! Go to Solution.
07-11-2009 09:51 AM
Hello Rob,
an anti spoofing ACL like ACL 100 applied to the internet interface means a performance penalty for sure but I'm not able to provide exact numbers: I cannot say if performance is reduced by 50% rather then 20%.
Performance tests with traffic generators should be done.
I did tests on ACL load some years ago on C7500 and as you can imagine the cpu load increases with the number of lines of the ACL and the position where traffic matches.
In other words most traffic will be legitimate and so it will match last line of the antispoofing ACL.
BGP load is lightweight in your case if you receive only default routes.
On the other hand an anti-spoofing ACL is a need in current Internet.
Another point is that to forward 90 Mbps the cpu will be 100%.
If you really want to be able to have a full rate 100 Mbps internet pipe you may consider to use a different device for the FE handoff:
if you have a multilayer switch like C3750E I would consider it.
Hope to help
Giuseppe
07-06-2009 08:04 PM
Hello Rob,
see
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
it says 180 Mbps but this has to be divided by two to take in account that traffic is bidirectional.
350,000 pps /2
500 byte IP size
18 byte ethernet overhead
means 90 Mbps per direction on a single FE link
Hope to help
Giuseppe
07-11-2009 08:39 AM
Excellent...thank you very much for this info. This is exactly the info I needed. One last question, how do I verify in the router config that we are running in Fast/CEF Switching and not Process Switching?
07-11-2009 09:12 AM
Hello Rob,
there are different ways to do this
try to enable it in global config mode
conf t
ip cef
check ip interfaces with
sh ip interfaces
look for the flags line
sh ip interfaces | inc lags
if CEF is there it is used (notice you can see also the fast flag but this is not a problem)
then there are the cef related show commands like
sh ip cef option
sh cef (not sure in 3825 )
there are a lot of options for this show.
About performance:
be aware that if you add features like QoS and others like anti-spoofing ACLs the performance will be reduced the C3825 is software based one cpu for all.
Hope to help
Giuseppe
07-11-2009 09:30 AM
I did just check the router config...it is using Fast/CEF switching...but I did see about 17 ACLs to block SNMP traffic and probably other are just anti-spoofing. So the next question is if I have ACLs is the CPU automatically reduced to the 20-25mbps or do you need a lot of ACLs / service to reduce the CPU speed? Below are the ACLs
access-list 10 permit x.x.x.x 0.0.0.63
access-list 20 permit x.x.x.x 0.0.0.63
access-list 99 permit x.x.x.x 0.0.0.127
access-list 100 remark Reject SNMP from Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 remark Basic Traffic Filtering
access-list 100 deny icmp any any redirect
access-list 100 permit icmp any any
access-list 100 remark Reject RFC 1918 Addresses
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.0.0.0 0.31.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 remark Reject Multicast Traffic
access-list 100 deny ip 224.0.0.0 0.255.255.255 any log
access-list 100 remark Reject Spoofed Source Address
access-list 100 deny ip x.x.x.x 0.0.0.255 any log
access-list 100 permit ip any any
07-11-2009 09:51 AM
Hello Rob,
an anti spoofing ACL like ACL 100 applied to the internet interface means a performance penalty for sure but I'm not able to provide exact numbers: I cannot say if performance is reduced by 50% rather then 20%.
Performance tests with traffic generators should be done.
I did tests on ACL load some years ago on C7500 and as you can imagine the cpu load increases with the number of lines of the ACL and the position where traffic matches.
In other words most traffic will be legitimate and so it will match last line of the antispoofing ACL.
BGP load is lightweight in your case if you receive only default routes.
On the other hand an anti-spoofing ACL is a need in current Internet.
Another point is that to forward 90 Mbps the cpu will be 100%.
If you really want to be able to have a full rate 100 Mbps internet pipe you may consider to use a different device for the FE handoff:
if you have a multilayer switch like C3750E I would consider it.
Hope to help
Giuseppe
07-11-2009 09:14 AM
One last thing, since the spec sheets refer to not having any services enabled on the router to achieve those performance numbers, which we dont have any services running except for BGP...would BGP be considered a service and reduce the speed to the 20-25mbps cap?
07-11-2009 01:37 PM
All services, including dynamic routing protocol maintenance, consume some CPU. Most though, except for extremes, don't normally consume too much. The "20-25mbps cap" to which you refer might be related to process switching.
As to your original question, a 3825 is a bit inadquate to guarantee 100+ Mbps duplex. Besides the issue that Giuseppe mentioned that you need to allow for duplex forwarding, you should also allow CPU for other services and provide for a CPU processing reserve cushion (I recall Cisco suggests about 1/3.[?])
Depending on your feature needs, a L3 switch, such as the 3750E suggested by Giuseppe, might be used instead of your 3825, although the 3750 Metro Series, or a LAN 3560/3750, for example the 3560-8PC, might be quite sufficient too.
If you want to stay with a software router, the 3845 might be "just enough", although the 7301 would be the "safe bet".
Also, do know that router's effective performance tends to increase with average packet size. I.e. a 3825 might suffice for your routine 100 Mbps usage, it's just that it can not guarantee that level of performance all the time.
07-11-2009 03:25 PM
I agree, full duplex at 100mbps would make the 3825 too small. But the vendor will only give a CDR of 100mbps total...so if we send a 100gb file in each direction, we will only have 50mbps in each direction. With that being said...the 3825 shoud be fine....even with a few ACLs for protection against internet spoofing.
Let me know if you feel otherwise.
-Rob
07-12-2009 03:57 AM
"CDR of 100mbps total", eh? Yes, I think the 3825 could likly well handle that, especially in such a case as "if we send a 100gb file in each direction". The latter because such a transfer would likely (and should) utilize MTU and that's generally when you obtain your best forwarding perfomance.
However, we've been focused on your "new" 100 Mbps, but there's still the other 20 Mbps to keep in mind. (Probably still enough CPU, but if the 20 is full bandwidth, and with 50 CDR, we're now up to 70 duplex.)
Further, you might want to clarify what the provider means by "CDR" and what happens if you exceed it. If they police at the 50 Mbps level, you might want to shape. If you don't shape, and if the circuit is physically 100 Mbps, you're router can still attempt to physically transmit at that level (duplex) which could still run your CPU to 100%. (Or perhap not if provider does police, you could still send 100 Mbps out, but shouldn't receive more than 50 Mbps in.) If you shape, it would be a service that will tax your CPU some. (You could also police which seems to use less CPU than shaping, in my experience.)
Not 100% positive, but besides the obvious issue of hitting and substaining 100% CPU (i.e. might be unable to support offered traffic load), believe software routers might sometimes become a bit "unstable" (better with later IOSs?).
Again, though, for your actual traffic, your 3825 might be just fine. Since you already have one, you could certainly try it. It's your traffic and your configuration that will determine actual CPU loading. Everthing else is generalization. Also in general, 3825 performance is close enough to your requirements such that I don't think you place your production traffic at high risk for trying it.
07-12-2009 07:33 AM
The other 20mbps only kicks in when the 100mbps is offline...BGP. There is no load balancing or sharing with the 20mbps. The circuit being brought in is fiber. The provider is definitley policing the amount of traffic. This is not a burstable circuit so it is capped at 100mbps...the CDR.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: