RE: CIsco 7206VXR w/NPE-G1 Question

Does anyone have definitive speed results on the 3 "built-in" Gig ports
on the NPE-G1? I know that they aren't attached to the PCI Buses, and
don't consume bandwidth points, but all of that is mute. Can all three
of the ports do line rate Gig? The Gig PA is limited to 400Mbps. I
have seen posts that allude to the fact the max throughput on the 3 Gigs
are 800Mbps. It's is like a big mystery that cannot be solved. With a
"J" M7i, I know I'm going to get line rate per port up to the total
forwarding capacity of the FPC.

We are trying to create a comparison matrix and any info you have would
be great.

Jack

Keep in mind, 72xx is still flow-based, so you need to count *both* shared
fabric capacity (aka PCI buses) and capacity of NPE to establish flows
(aka pps rate).

NPE-G1 might probably route 3*GE, without any services and if all 3GE are
in a single flow, but will melt down at a face of one-packet-per-flow DDoS
(read: "Nachi" worm) at a far lower rate (I'd be surprised if it sustains
200kpps DDoS traffic, which can be as low as 150Mbit bandwidth).

That is of course, as opposed to Juniper, which is truly line-rate at any
interface, with any services, at any composition of traffic.

-alex

Keep in mind, 72xx is still flow-based, so you need to count *both* shared
fabric capacity (aka PCI buses) and capacity of NPE to establish flows
(aka pps rate).

Why do you say it is flow-based? You *do* use CEF, don't you? In which
case 7200 with NPE-G1 is a prefix-based architecture, with software
forwarding.

NPE-G1 might probably route 3*GE, without any services and if all 3GE are
in a single flow, but will melt down at a face of one-packet-per-flow DDoS
(read: "Nachi" worm) at a far lower rate (I'd be surprised if it sustains
200kpps DDoS traffic, which can be as low as 150Mbit bandwidth).

It's the pps that counts, not whether it is one packet per flow or many.
We actually tested NPE-G1 a bit today with small (64 byte) packets, and
we reached considerably higher pps numbers.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

> Keep in mind, 72xx is still flow-based, so you need to count *both*
> shared fabric capacity (aka PCI buses) and capacity of NPE to
> establish flows (aka pps rate).

Why do you say it is flow-based? You *do* use CEF, don't you? In which
case 7200 with NPE-G1 is a prefix-based architecture, with software
forwarding.

Thanks for correction, yes, you are right, of course, that was a 'thinko'.

To those watching on sideline:

flow-based means router's performance is based on number of flows
established, and first packet of each 'flow' is processed differently
[slower] from all other within the flow, and things like nachi will kill
it.

> NPE-G1 might probably route 3*GE, without any services and if all 3GE are
> in a single flow, but will melt down at a face of one-packet-per-flow DDoS
> (read: "Nachi" worm) at a far lower rate (I'd be surprised if it sustains
> 200kpps DDoS traffic, which can be as low as 150Mbit bandwidth).

It's the pps that counts, not whether it is one packet per flow or many.
We actually tested NPE-G1 a bit today with small (64 byte) packets, and
we reached considerably higher pps numbers.

I'm curious, what pps did you manage to get?

-alex

72xx NPE-xxx is NOT flow-based -- unless you explicitly configure it to be.
(i.e. disable CEF, enable flow switching).

CEF is prefix-based switching - where all possible prefixes (routes/RIB) are already programmed into the forwarding table (FIB).
anything not programmed into the FIB doesn't exist in the RIB, ergo there is no route therefore is dropped.

i believe the words you're looking for is "NPE-xxx is SOFTWARE-based forwarding". this part is true enough - but a NPE-G1 has far more cpu cycles to switch/route than previous NPE-400/300/225/200/150 et al.
software-based forwarding isn't so bad -- it means that platforms such as the 7200 typically have lots of features.

this is different to the NSE-xxx which is part software-based forwarding and part PXE-based forwarding.
the exact features accelerated by PXE varies depending what code release is used.

your said:
         flow-based means router's performance is based on number of flows
         established, and first packet of each 'flow' is processed differently
         [slower] from all other within the flow, and things like nachi will kill
         it.

no, this isn't true. (at ieast, it isn't unless you explicitly configure it that way). for a service-provider, you wouldn't want to use it in any forwarding mode other than CEF, unless there is very good reason to.

to provide you with a summary of forwarding paths and their uses:
   CEF switching:
         prefix-based pre-populated FIB
   dCEF switching:
         distributed version of CEF - typically each linecard has its own
         FIB and therefore switching decisions are distributed per linecard
   Fast switching:
         destination-based demand switching. a 'route cache' exists of
         destinations to be forwarded to. the first packet to a destination
         is "process switched", which installs the route-cache entry.
         subsequent packets are switched in the "fast" (aka interrupt)
         path.
   Process switching:
         all packets received (at interrupt level) are queued for process-level
         to route.

then there's Flow Switching, whose definition has changed over time:
   Flow Switching:
         a variation on Fast-switching, but where a flow-entry is created based
         on a 5-tuple (srcip/dstip/proto/srcport/dstport/TOS). first packet is process-
         switched, which installs the flow entry, subsequent packets are switched
         at interrupt level

now, Flow Switching has changed over time. you can enable both CEF+Flow and Flow simply becomes an accounting method that is useful for netflow - but you continue to have packets switched using CEF.

as to the exact level of forwarding used for each packet, that varies --
if you enable a feature that isn't in the CEF path, then the packet is switched using the next-lower-layer that supports the 'feature'.
for service-provider type environments, there aren't too many features necessary for /most/ deployments that aren't already covered in CEF on 7200, so you're mostly ok there.

this is just a brief description of how a 72xx works - and there are many permutations and differences between different platforms and boxes.
if you want the full rundown, Phil Harris normally gives a "Router Architecture" presentation at every Networkers i've ever attended, and it covers all this and more.

cheers,

lincoln.
disclosure: my other email address is ltd@cisco.com, but i work in Fibre Channel not IP these days.