Gunther Stammwitz asks a very reasonable question: > At the moment we're using Cisco 12000 gear in our network and now > I'd like to buy another
But here he makes a big mistake: > router What about replacing this with the word "box"? :-) > in order to increase our redundancy. Another provided pointed at his > foundry bigiron 8000 and told me how well it is running. > Okay.. What he didn't know where the technical facts like pps or > where the asic is (on the line- or management card) and so on but he > said that the machine can sustain a dos attack of up to a gigabit > without problems. > Anyone here who has experience with the Bigiron series and would like to > share some thoughts? Viktor Steinmann writes: > BigIron is a Switch - not a router... > O.k. - maybe Foundry says, it's a router. But when you try to do > some advanced routing on that box - forget it... Neil J McRae writes: > It's a switch not a router IMO. If you want a router > talk to Juniper. My first take is "who cares"? If it does what you need at a decent price go for it. My second take is: Buy a NetIron rather than a BigIron - probably the same hardware but it's marketed as a router. Just keep telling everybody that you have a GSR, so that your colleagues still take you seriously. The architecture of the latest NetIron is quite nicely described in a recent marketing blurb: http://www.foundrynet.com/products/routers/netiron/ni40g.html?referrer=simons-swinog-post:-) Extract: "The NetIron 40G dual-stack line modules are optimized for IPv4 and IPv6 packet formats and deliver wire-speed performance for both protocols. Each NetIron 40G line module supports as many as 512,000 IPv4 routes (four times the size of the Internet today) or 128,000 IPv6 routes in the module's hardware-based, pre-populated forwarding engine." So the forwarding engines are on the modules. How resistant the boxes are to various kinds of DoS I don't know - it certainly looks hard to overwhelm the forwarding plane just by sending small packets at it, because the total box capacity is 320 Mpps, which seems to mean 40 Mpps per linecard. I seem to remember that the much older NetIrons I used to be familiar with had flow-based forwarding, so they were susceptible to be overwhelmed by single-small-packet flows (aggressive address scans), which was worrying. But it's very well possible that the new ASICs have something more similar to regular CEF. The other question is how well you can protect the control plane against DoS traffic. As to my own experience with the new BigIrons: I don't have any, but: A few years ago we used two NetIron 400 boxes (very similar to the BigIron 4000 I think) for our first Gigabit link (a 2.5Gbps STM-16c Geneva-Zurich) - rather than using GSRs or Junipers, to make the experiment more interesting. I must say that I really liked the boxes, especially given the price. There were a few issues with the performance of their first generation POS cards (which were eventually solved by them being upgraded to newer hardware), and the speed of integration of new software features was glacial (but since we all have Cisco we are used to that already :-). But in the end performance was excellent, price and port density too, and last not least Cisco started being much more interested in our account. >From looking at the NetIron 40G specs, I'd say give those a try. The BigIron 8000 probably has an older generation of ASICs. The BigIron MG8 looks similar to the NetIron 40G, although the ASICs may be different - for instance they never talk about IPv6, while the NI40G supports that in the ASIC. By the way we now use Cisco Catalyst 6500 (if you want to call it a switch)/7600 OSR (if you need a router) in our backbone, and we're generally quite happy with them. We like the cost-effective upgrade path to 10GE (Foundry has that one too), and they do mostly everything we need. -- Simon. _______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
