|
Posted by Peter Eriksson on February 19, 2007, 3:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
We're trying to decide on our next departmental router/switch
and we'd like it to have good ACL performance (our current HP 6308M bogs
down when using ACL lists to "firewall" ourself from the ugly world
"out there" :-)
Anyway, our requirements:
IPv4, IPv6 (in the future), OSPF, PIM, 2-8 Gigabit Ethernet
interfaces, possibility for 10GE, many VLANs, many ACLs/ACEs - supporting
TCP "keep state" or "established" rules and both IPv4 and IPv6.
Some of the candidates we're looking at are:
HP ProCurve 6200yl / 3500yl
Extreme Summit X450a
Cisco 3750G-12S
Any other boxes we should be looking at?
However, what seems to be unclear when reading the product specifications
is how well they handle ACLs - ie, is it done in hardware and at full
wirespeed - or will it go the "slow path"? Please note that this is
ACLs for the routing interfaces (between VLANs) - not port ACLs...
(I'm also aware that the 6200yl/3500yl doesn't support IPv6 today - anyone
know when they are going to introduce that feature?)
- Peter
--
--
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Linköping University Room: Building F, F203
|
 
| |
Posted by stephen on February 19, 2007, 7:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
> We're trying to decide on our next departmental router/switch
> and we'd like it to have good ACL performance (our current HP 6308M bogs
> down when using ACL lists to "firewall" ourself from the ugly world
> "out there" :-)
>
> Anyway, our requirements:
>
> IPv4, IPv6 (in the future), OSPF, PIM, 2-8 Gigabit Ethernet
> interfaces, possibility for 10GE, many VLANs, many ACLs/ACEs - supporting
> TCP "keep state" or "established" rules and both IPv4 and IPv6.
>
> Some of the candidates we're looking at are:
>
> HP ProCurve 6200yl / 3500yl
> Extreme Summit X450a
> Cisco 3750G-12S
new ones are 3750-E.... - 10G built in
the Ciscos do ACLs in hardware - for some ACL flavours.
Since the logic for hardware ACL is probably in a dedicated chipset, there
is always likely to be something that cannot be done in the hardware - so
the Q for the manufacturer is whether to let you use only hardware based
filters, or let you have flexibility with some performance constraints, or
some sort of mix.
Tthe big issue with any switch is likely to be if you are asking for
something that gets pushed to software processing.....
>
> Any other boxes we should be looking at?
>
> However, what seems to be unclear when reading the product specifications
> is how well they handle ACLs - ie, is it done in hardware and at full
> wirespeed - or will it go the "slow path"? Please note that this is
> ACLs for the routing interfaces (between VLANs) - not port ACLs...
the rule of thumb is "higher end boxes do more in hardware" - so for Cisco
the assumption is Cat 6500 will do "best" - but that is
1. a chassis
2. optimised for lots of ports
3. expensive
4. loads of options, so you need to understand the box to get the right
tradeoffs
same is probably true for lots of other kit you might go for.....
But - your initial choices imply a relatively small box is all you need, so
a stackable is good enough.
Personally i would ignore the "futures" bit unless you know you need those
aspects in the next 12 to 18 months.
Otherwise choosing a new box at the point you need say IPv6 is likely to get
you more for less money than trying to future proof a box now.
>
> (I'm also aware that the 6200yl/3500yl doesn't support IPv6 today - anyone
> know when they are going to introduce that feature?)
>
> - Peter
>
> --
> --
> Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
> Physics Department, Linköping University Room: Building F, F203
--
Regards
stephen_hope@xyzworld.com - replace xyz with ntl
|
|
Posted by anoop on February 19, 2007, 10:27 am
If you were Registered and logged in, you could reply and use other advanced thread options
> We're trying to decide on our next departmental router/switch
> and we'd like it to have good ACL performance (our current HP 6308M bogs
> down when using ACL lists to "firewall" ourself from the ugly world
> "out there" :-)
>
> Anyway, our requirements:
>
> IPv4, IPv6 (in the future), OSPF, PIM, 2-8 Gigabit Ethernet
> interfaces, possibility for 10GE, many VLANs, many ACLs/ACEs - supporting
> TCP "keep state" or "established" rules and both IPv4 and IPv6.
>
> Some of the candidates we're looking at are:
>
> HP ProCurve 6200yl / 3500yl
> Extreme Summit X450a
> Cisco 3750G-12S
>
> Any other boxes we should be looking at?
>
> However, what seems to be unclear when reading the product specifications
> is how well they handle ACLs - ie, is it done in hardware and at full
> wirespeed - or will it go the "slow path"? Please note that this is
> ACLs for the routing interfaces (between VLANs) - not port ACLs...
Can't speak for the others but the HPs you mention do ACLs in
hardware.
> (I'm also aware that the 6200yl/3500yl doesn't support IPv6 today - anyone
> know when they are going to introduce that feature?)
The hardware supports it, but they haven't gotten around to releasing
the software for it.
Anoop
|
|
Posted by phn on February 24, 2007, 6:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> We're trying to decide on our next departmental router/switch
> and we'd like it to have good ACL performance (our current HP 6308M bogs
> down when using ACL lists to "firewall" ourself from the ugly world
> "out there" :-)
>
> Anyway, our requirements:
>
> IPv4, IPv6 (in the future), OSPF, PIM, 2-8 Gigabit Ethernet
> interfaces, possibility for 10GE, many VLANs, many ACLs/ACEs - supporting
> TCP "keep state" or "established" rules and both IPv4 and IPv6.
>
> Some of the candidates we're looking at are:
>
> HP ProCurve 6200yl / 3500yl
> Extreme Summit X450a
> Cisco 3750G-12S
>
> Any other boxes we should be looking at?
>
> However, what seems to be unclear when reading the product specifications
> is how well they handle ACLs - ie, is it done in hardware and at full
> wirespeed - or will it go the "slow path"? Please note that this is
> ACLs for the routing interfaces (between VLANs) - not port ACLs...
>
> (I'm also aware that the 6200yl/3500yl doesn't support IPv6 today - anyone
> know when they are going to introduce that feature?)
>
> - Peter
>
> --
> --
> Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
> Physics Department, Link=F6ping University Room: Building F, F203
I would move ACL's to an external firewall and let the networking gear
forward packets internally.
Any (serious) firewall would have more functionality then ACL's in
a cisco( not to mention other boxes), just think of statefullness,
fragment
handling, logging, managability , possibilyties of application.level
proxies etc.
Save your money and get as an example
one x86box, load with 2-nic's, freebsd, ipfilter and install
fwbuilder
somewhere. Cost ? hardware for a PC + some hours installing time.
|
|
Posted by Denis Jedig on February 24, 2007, 9:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On 24 Feb 2007 15:44:30 -0800 phn wrote:
> Save your money and get as an example
> one x86box, load with 2-nic's, freebsd, ipfilter and install
> fwbuilder
You would get nowhere near 1,000,000 pps with a reasonable number of rules
in your set, thus creating a bottleneck for routed traffic. If there is
someone asking for performance with his ACLs and is getting "hardware ACL
support" as the answer, I would expect numbers in this order of magnitude
to be the minimal requirement.
--
Denis Jedig
syneticon networks GbR http://syneticon.net/service/
|
| Similar Threads | Posted | | End to End Performance Measurement | March 22, 2005, 9:15 am |
| Network performance (latency) | September 12, 2005, 8:12 pm |
| Gbps practical performance? | October 11, 2007, 3:36 pm |
| Switch performance with many-to-one port traffic | October 1, 2006, 10:21 pm |
| Monitoring switches for performance & problems | October 19, 2007, 2:54 am |
| Ethernet Performance Testing and throughput | October 3, 2008, 4:28 pm |
| "Optimal performance" on Realtek 8139 Windows drivers | April 20, 2005, 2:59 am |
|
|
NewsGroups 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map