On 17. feb. 2010, at 08.47, Claudio Jeker wrote: > On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote: >> On 17/02/10 03:16, FRLinux wrote: >> >>> Mmmh, you picked my interest here. You mentioned your cisco 6500 but I >>> guess you are going to use only gigabit NICs, so you have no need on >>> the 10gb range? Just asking, not trying to start a war :) >>> >>> Cheers, >>> Steph >> > >> ps. the cisco crawled when I enabled IOS firewall features (statefull). >> Firewall interface == $35K.... come one now... Too much money! >> > > The 6500 and 7600 cisco systems are not able to do stateful firewalling > in HW and have also issues with stuff like netflow exports. Unless you buy > the super expensive line cards. Even the big SUP boards come with a tiny > CPU running at the speed of a loongson -- those can be killed with a few > Mbps of multicast traffic. > > -- > :wq Claudio >
Just to balance the anti-cisco viewpoint: If you want to do deep packet stuff in HW, then Cisco offer the FWSM & ACE & NAM modules for 6500/7600. The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane policing) in HW, which should be configured to prevent abusive traffic hitting the CPU, this (amongst a large list of others) includes high PPS multicast. For example see: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p aper0900aecd802ca5d6.html /Pete
