On (2009-07-18 05:12 +0000), deleskie@gmail.com wrote: Hey,
The only issue I have I with your reply is that is somehow still acceptable to not have these features in a core device.
I'm guessing point Roland was making (which he likely would have not made couple moons ago:) was related to the lack of IPv6 uRPF, chassis wide uRPF mode and IPv6 ACL either have /128 look-up and no L4 lookup or L4 lookup and accordingly reduced lookup, forcing longer prefixes to software (compression removes bits 24-39 from hardware). In practice this means, if you enable compressed mode, to allow L4 lookups in ACL, and you likely will (how else are you going to protect server, if you can't allow MGMT/ssh and internet/http and drop rest?) you will need to take care that you never do 'host 2001:db8::1' but stay within the boundaries. Typically this is non-issue, as you have rather large subnets, and typically inside this subnet there is same security policy, that is, all hosts can use same ACL. It is easy to verify if particular ACE from ACL line is in hardware or is punted, so it will be easy to fix it, before going live. This is still definitely something you need to consider. I'd agree that no IPv6/uRPF is rather show-stopper for longer term edge use, but I don't think the IPv6/ACL is deal-breaker. In core I personally have no use for uRPF or ACL, as I'm not facing customers in core. EARL8 (Nexus7k) fixes the IPv6/uRPF and IPv6/ACL issue. Someone mentioned the ACL TCAM, planning its usage is also important you can use 'shot tcam counts' to see the resource usage. Pay particular attention to 'LOU' usage (which is used for gt/lt/neq/range operators, and is hence somewhat expensive). But knowing the limitation and how ACL lines are compiled to ACEs makes it typically easy to scale as far you need to.
-jim ------Original Message------ From: Roland Dobbins To: NANOG list Subject: Re: Cisco 7600 (7609) as a core BGP router. Sent: Jul 18, 2009 1:09 AM
On Jul 18, 2009, at 4:30 AM, Steven King wrote:
We use the 7600 platform as a Customer Border device.
The 7600 is actually quite a poor choice as an edge device (any edge) due to its caveats regarding NetFlow, ACLs, and uRPF. It's far better suited to a core role, where it can handle mpps running without the need for these critical edge features.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
Sent from my BlackBerry device on the Rogers Wireless Network
-- ++ytti