I'm curious if anyone else is using a switch for WAN connections.
I am looking at upgrading our IPS uplink from 9Mb to 20Mb. We use 6 T1's currently in a 2811 router, but our new link will be an 100Mb Ethernet (copper) connection rate limited to 20Mbs. We also have another 20Mb connection handed to us on MM fiber. We will use BGP to multihome our uplink.
My question is this; Why do I need to look at "standard router" for these connections? We will get better performance from a 3560E?
The only hangup I see is the onboard memory of the 3560. Default for most models is 128Mb and I want to ensure we are able to host full BGP routes if needed.
Please add any comments/questions/opinions. I am interested to read what others are doing.
You do not need a router with DIA.
However, to maximize your network it is wise to have a router in-line to handle the routing function and allow the switching to be done on the switches. You can have all security done on the router, policies, etc...
It may be another device on your network to manage, but another step between your network and the WAN.
wow, I am confused?
Why use a switch for routing and the ASA for switching?
What requirement do you have and what equipment do you have to work with?
With multihoming you will also need your own AS and preferred to have your own IP space too. If you are going to receive full routes you need at least 256k.
In short, the 3560E-48TD fulfills all our "WAN" connectivity requiremenst via multiple 10/100/1000 Ethernet interfaces, IOS features i.e. BGP and EIGRP support. It also has a better forwarding rate, and is 25% the cost of a 7200.
Our BGP enviroment will be minimal, using default routes only. This allows minimum memory consuption, although, it is my primary concern. I would prefer having 512Mb - 1Gb.
I see no issues with what you want to do.
You will need your own ASN since you will be multihomed. If this is a new new network then I would also get your own IP space...this will save you some engineering time.
Default routes from BGP peers is not a bad thing, why consume your mem when it will just add another hop or two possibly. Overall not a bad thing. I would also make sure that your peers when announcing your ip space do not add anything to the announcement. Make sure that they accept whatever you send, as long as it is your IP space to send, and make sure they foward it to their peers.
Other than that you seem to have a good handle on what you want to do.
If cost is a concern you can do the same thing on a low end router too, a 2600 even if you have any of those laying around.
Only thing i would add to Rick's post is that you say in your original post that you would like the switch to be able to host the full Internet BGP routing table if needed.
The 3560 won't do this. It would need a minimum of 512Mb and according to the spec sheets it supports a max of 11000 unicast routes.
As Rick says fine if you are using just default routes but not if you want to be able to have full BGP table in future.
It's true the 3560E has much higher internal bandwidth and PPS rate than about all the pure software based routers, but this doesn't necessary mean you will obtain better performance. Full routers tend to be much richer in features than L3 switches, for instance in the latest IOS images I can utilize OER/PfR to dynamically load balance multiple links and monitor performance. You could also shape your 100 Mbps link at 20 Mbps and have an effective outbound QoS policy.
In a later post, you compare a the price difference between a 3560-E and a 7200, but for dual 20 Mbps, a 2821 or 2851 might suffice.
If you do wish to pursue a switch, the 3750 or 4948 series, I believe, both support 256 MB RAM. You also might want to look at the various "Metro" switches, whose feature sets have WAN like features for MANs vs. typical LAN switches.
I'm not sure you'd get better performance from a switch. If you want to host a full BGP routing table you're going to need at least 256-384MB of RAM (today...http://bgp.potaroo.net) just for the routes, but the bigger concern I would have is the CPU on the switch. During a full table download, I've seen 7200/NPE-G2's hit 30-40% CPU utilization. The switches are heavily ASIC based, and I don't believe they have CPU's that are up to the task.
You probably could make it work, but I wouldn't recommend staking your reputation on it.
Michael you raise an interesting point about the performance of a switch's CPU vs. a router when dealing with the control plane processing. Much likely depends on both the switch in question, e.g. 3650/3750 vs. 3650-E/3750-E vs. 4948, etc., and the router in question, e.g. 28xx/38xx/72xx/7304, or the router's processing engine, e.g. NPE-225, NPE-G2, NSE-150, etc. If the CPU of a particular switch is slower than a particular router, and if the switch doesn't have to devote its CPU to the data plane processing because of its ASICs, the switch's CPU might still be effectively faster, than the "faster" router, if the data plane is loaded. Still, an interesting point. Perhaps someone with experience using a 4500 (should be somewhat similar to 49xx series) or 6500/7600 (should be somewhat similar to ME 6500 series) containing Internet routes could mention their experience.
You do have to be careful with the hardware switches like the 6500/7600. A SUP-720-3B will only support 256K routes, and with a full Internet table, it would not be hard to hit that maximum. In order to do this you'd need a SUP-720-3BXL (1 million routes) which are designed to handle large routing tables particularly for multiple MPLS VPN's, but for the price of just the supervisor, you could get 2 7200 w/ NPE-G2's.
Good point, albeit a few corrections in the context of ipv4 routing.
Note that a Sup720 (PFC3,PFC3A,PFC3B) will only support 239,000 routes, not 256,000 as you mention, and this is *NOT* the default behavior. The default FIB TCAM resources permit 192,000 ipv4 unicast AND MPLS routes; and 32,000 ipv6 unicast and ipv4 multicast routes. The maximum amount of routes you can re-configure the ipv4 unicast and MPLS hardware TCAM FIB resources is 239,000 (depending on IOS version). The supervisor will not allow you to use all the TCAM FIB resources for ipv4 routes because it is shared with MPLS and EoM, and must leave resources for ipv4 multicast and ipv6 unicast. The Internet BGP4 prefixes have crossed 226,000 for well over a year now.
Use the following command to see what the current TCAM FIB utilization is:
show platform hardware capacity forwarding
show tcam counts ip
Use the following command to reconfigure the TCAM FIB resources (a reload is required):
mls cef maximum-routes
Cisco has been *screaming* for nearly two years now that you need a Sup720 with a PFC-3BXL or PFC-3CXL (and appropriate DFCs if installed) in order to support the full Internet BGP4 routing table in a 6500/7600 switch.
If not, things will *mostly* work, but the switch will drop a significant amount of traffic destined to the ipv4 route prefixes that were not able to be installed in hardware and need to be processed switched. The Sup720 (all versions) by default has a rate-limiter configured that will prevent the switch cpu from being overburdened by these forwarding requests, hence drop rates for traffic destined to those prefixes of 25% to 100%.
On top of all the other arguments, I'd like to add another one: QoS limitation.
I'm willing to bet that somewhere down the line, your management would be asking about QoS functionality, even through "best-effort based network" such as the Internet (I've come across some stupid management that wants this despite our best effort in the futility of it all!). The only switch I know that can rival router's richness in QoS functionality/support is the 3750-ME. The Metro Ethernet port on this platform supports hierarchical QoS just like normal routers.