cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1895
Views
4
Helpful
3
Replies

VSS/FWSM and BGP at the Internet Edge

MATTHEW BECK
Level 1
Level 1

Hello all,

Has anyone seen/built a config in which a pair of 6500s in VSS are used at the Internet Edge? I picture the VSS multi-homed to several ISPs using BGP and the FWSMs providing ACL/NAT functionality.

Please let me know if you have seen this done and how it went.

Thanks,

Matt

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Matt,

be aware that each FWSM is limited to 2.5 Gbps per direction of throughput.

You may need to assign active role to different FWSMs on a per context basis to achieve better scalability.

However, I've never heard of someone using VSS up to now for eBGP peering.

usage of supervisors 720 BXL and above has been reported for handling multiple full BGP tables.(and we use it actually)

So from this point of view you should be fine.

VSS is targeted more for data center and the active supervisor has to mantain CEF tables on all linecards also on the standby chassis.

the CEF table will be huge if full internet tables are setup on device.

And it has to travel over the VSL link to reach linecards on standby chassis.

You can get more scalability with two stand-alone C6509 on the signalling plane.

Hope to help

Giuseppe

Hello Guiseppe, thanks for your response.

Yes, I am aware of the throughput limits on the FWSM. I actually started looking at the ACE/FWSM load-balanced FW designs in order to scale beyond 1 FWSM so Active/Active is the way to go with a solution like this.

I've never heard of anyone doing this either but I thought I'd ask because I think it can work. (I'm not yet sure I would do it, but...)

I was thinking of using the DFC3CXL cards to accomodate up to 1 million routes/entries in the CEF tables.

So now I'm wondering what you think about VSS and VSL link vs. HSRP or VRRP. If the FWSM is only going to have a single default gateway (and it has to since Act/Act negates dynamic routing) either HSRP, GLBP or VRRP has to run on the MSFC SVIs connecting to the FWSMs. It seems to me that the amount of traffic crossing the link between switches is going to be the same either way. I guess with two HSRP groups running and proper gateway config on the FWSM instances this can be mitigated until a failure occurs. But BGP may just decide to send it to the other chassis for another exit interface anyway. Any thoughts on eBGP and first-hop redundancy protocols with VSS?

Thanks for your time and take care,

Matt

Review Cisco Networking for a $25 gift card