Re: karl and paul, expostulating
Filtering packets based on source address makes Ciscos go way slow on every packet. Filtering based on destination address makes Ciscos go very fast on most packets and a little slower on SYN-ACKs.
If you enable flow switching it adds little overhead to the box.
doesn't matter. in production ios, policy routing (source based routing) is process switched. there is code in the works to make it fast switched. but there is a bug wherein if you do policy routing, and you enable flow or optimum switching on the interface you're doing pr on , it disables the policy routing. that bug may be fixed now but in any case enabling flow switching will *not* speed up policy routing. and if you're exporting the flow stats, you lose anywhere from 50kpps to 100Kpps of speed.
On a 7505 with 2 sets of full routes and another partial set of routes (and all of the updates associated), that pushes some pretty significant traffic, I am filtering approx 25M/sec of data with 25k long extended access list. The total CPU load on the box is approximately 35%. Oh yeah, the box is also the DR for area 0 of a fairly large OSPF network (approximately 3k routes). Before flow switching was enabled we were running at 80% or so (not for more than a few minutes before we enabled flow switching though).
but i'm assuming you aren't doing policy routing in this box nor exporting flow stats? -brett
On Feb 20, 1997, Brett D. Watson wrote:
doesn't matter. in production ios, policy routing (source based routing) is process switched. there is code in the works to make it fast switched. but there is a bug wherein if you do policy routing, and you enable flow or optimum switching on the interface you're doing pr on , it disables the policy routing.
that bug may be fixed now but in any case enabling flow switching will *not* speed up policy routing. and if you're exporting the flow stats, you lose anywhere from 50kpps to 100Kpps of speed.
I have news for you; this isn't policy routing! We aren't re-writting any source or destination addresses (which is what policy routing does). We're just filtering based on source and destination parameters (such as address, protocol, port, etc). Flow switching works very effectively (at least as of IOS 11.1.9).
but i'm assuming you aren't doing policy routing in this box nor exporting flow stats?
No, we aren't doing policy routing, but we do have an extended access list on at least one of our fast ethernet interfaces. The filtering works quite well, and flow switching makes the CPU load hit minimal. Alec -- +------------------------------------+--------------------------------------+ |Alec Peterson - ahp@hilander.com | Erols Internet Services, INC. | |Network Engineer | Springfield, VA. | +------------------------------------+--------------------------------------+
participants (2)
-
Alec H. Peterson
-
Brett D. Watson