Re: Force10 Gear - Opinions
On Fri, Aug 22, 2008 at 08:34:05AM -0600, Matlock, Kenneth L wrote: > Sorry for the off-topic post. > > Does anyone here have real-world experience with Force 10 gear > (Specifically their E-Series and C-Series)? They came and did their > whole dog and pony show today, but I wanted to get real-world feedback > on their gear. shameless-plug=on Hi, You may want to consider asking on force10-nsp as well. http://puck.nether.net/mailman/listinfo/force10-nsp - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Force10 Gear - Opinions
On Fri, Aug 22, 2008 at 10:34 AM, Matlock, Kenneth L <[EMAIL PROTECTED]> wrote: > Sorry for the off-topic post. Don't be; it was acutely on-topic. > Does anyone here have real-world experience with Force 10 gear > (Specifically their E-Series and C-Series)? They came and did their > whole dog and pony show today, but I wanted to get real-world feedback > on their gear. > > > > I need to know about their > > > > 1) Reliability > > 2) Performance EANTC did a comprehensive study of the E-series: http://www.eantc.de/en/test_reports_presentations/test_reports/force_10_sfm_failover_video_ftos_6211.html http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/EANTC_Full_Report.pdf http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/Section_8.pdf > 3) Support staff (how knowledgeable are they?) I'm not a customer, so I can't speak to this. > 4) Price (higher/lower/comparable to comparable Cisco gear) Comparing list pricing, it looks like Force 10 would have you pay more for less features. As a box designed with the enterprise datacenter in mind, the E-series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. http://www.force10networks.com/news/pressreleases/2007/pr-2007-02-05.asp https://www.force10networks.com/CSPortal20/KnowledgeBase/DOCUMENTATION/CLIConfig/FTOS/E_CONFIG_6.5.4.0_7-Feb-08.pdf Paul
Re: Force10 Gear - Opinions
Subject: Force10 Gear - Opinions Does anyone here have real-world experience with Force 10 gear (Specifically their E-Series and C-Series)? They came and did their whole dog and pony show today, but I wanted to get real-world feedback on their gear. I was at a customer site doing a NAC deployment study recently ( <6 months ago) and there was some Force10 edge gear in place. We had to drop the Force10 gear out of the picture because it didn't support any of the rich features that we needed to get NAC up and running. The customer was perfectly happy with the ability of the stuff to pass packets and act as a not-very-smart edge switch, and hadn't evaluated the feature set for anything beyond that. My conclusion was that if you want to use it at the edge to pass a lot of packets at 'enterprise' line rates and don't care about anything else (we were looking at good 802.1X support with ACLs and all of the other miscellaneous bits that make NAC work, YMMV) then it seems to be fine per this customer's experience. If you want something with a stronger feature set for future expansion, there seem to be other companies that have more experience. In David Newman's test of 10G edge switches (http://www.networkworld.com/reviews/2008/032408-switch-test.html) Force10 elected not to participate, which is often telling. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 [EMAIL PROTECTED]http://www.opus1.com/jms
Re: Force10 Gear - Opinions
On Aug 23, 2008, at 10:52 PM, Paul Wall wrote: EANTC did a comprehensive study of the E-series: http://www.eantc.de/en/test_reports_presentations/test_reports/force_10_sfm_failover_video_ftos_6211.html http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/EANTC_Full_Report.pdf http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/Section_8.pdf Did you read these? They appear to be nonsense. They were bought and paid for by Cisco, and including nonsense things like "if you leave a slot open the chassis will burn up" as a decrement, which is also true in pretty much every big iron vendor. They also deliberately detuned the force10 configuration. They re-ran the tests using the recommended configuration and got very different numbers -- which you can request from them, but they won't publish on the website. I'm not trying to be a Force10 advocate here (although I like their stuff) so much as trying to point at an incredibly biased and non- vendor-neutral report. It is entirely funny the amount they tried to make nonsensical stuff sound important. Comparing list pricing, it looks like Force 10 would have you pay more for less features. Based on what? For E and C series boxes, Cisco is never cheaper. S- series are a different story. As a box designed with the enterprise datacenter in mind, the E-series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. Ah, because Cisco does either of these in hardware? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Aug 22, 2008, at 7:34 AM, Matlock, Kenneth L wrote: 1) Reliability Very good. Across our entire business we've lost 1 RPM module in ~2 years. 2) Performance [Note: we have no 10g interfaces, so I can only speak to a many- singleg-port environment] Much higher than Cisco. So good at dealing with traffic problems that we have had multi-gig DoS attacks that we wouldn't have known about without having an IDS running on a mirroring port. 3) Support staff (how knowledgeable are they?) Significantly higher than Cisco, and escalation is easier. On par with Juniper. 4) Price (higher/lower/comparable to comparable Cisco gear) 80% of the Cisco of a comparable Cisco solution, and the support contracts are cheaper too. We're exclusively a Cisco shop here right now (mostly Cat6500s), so changing out some of our core gear with Force 10 is a bit 'scary', but if it meets our needs, maybe... If you go from Juniper to Force10 you might find some things lacking, but Cisco to Force10 is only an improvement. You'll never have to wonder if the command you're typing will throw the unit into software routing mode, as Cisco bugs have usually done. (not possible in the FTOS architecture) These things are so very solid that I rarely spend any time doing network work any more. Gigabit line-speed BCP38 makes life easier for the abuse helpdesk too. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
>> 2) Performance > > [Note: we have no 10g interfaces, so I can only speak to a many-singleg-port > environment] > Much higher than Cisco. So good at dealing with traffic problems that we > have had multi-gig DoS attacks that we wouldn't have known about without > having an IDS running on a mirroring port. Do they have something with a few singleg-ports (could be only 2) but can route a large FIB (half a million, million routes) and some large RIBs (3 full-routing views, a hundred peers) ? Rubens
RE: Force10 Gear - Opinions
> > > As a box designed with the enterprise datacenter in mind, the E- > series > > looks to be missing several key service provider features, including > > MPLS and advanced control plane filtering/policing. > > > Ah, because Cisco does either of these in hardware? Yes. PFC3 inside Supervisor 32, 720 and RSP 720 for Catalyst 6500/Router 7600 series perform both of these features in hardware. The article mentioned in this thread compares Force10 E against the 6500 series. james
Re: Force10 Gear - Opinions
On Mon, Aug 25, 2008 at 7:20 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: >> http://www.eantc.de/en/test_reports_presentations/test_reports/force_10_sfm_failover_video_ftos_6211.html >> >> >> http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/EANTC_Full_Report.pdf >> >> >> http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/Section_8.pdf > > Did you read these? Yes. > They appear to be nonsense. They were bought and paid > for by Cisco, and including nonsense things like "if you leave a slot open > the chassis will burn up" as a decrement, which is also true in pretty much > every big iron vendor. Current-generation Cisco and Juniper hardware don't seem to have this problem. I don't think the "remove one SFM and all the others go offline" failure mode is commonplace among other vendors either. > They also deliberately detuned the force10 > configuration. They re-ran the tests using the recommended configuration > and got very different numbers -- which you can request from them, but they > won't publish on the website. I'd be interested in seeing this. Mind putting them up somewhere and sharing the URL? > Based on what? For E and C series boxes, Cisco is never cheaper. S-series > are a different story. I was comparing list pricing for the E-series up against Catalyst 6500, Supervisor 720-3BXL, 6700 blades with CFC... which I consider a fair comparison. >> As a box designed with the enterprise datacenter in mind, the E-series >> looks to be missing several key service provider features, including >> MPLS and advanced control plane filtering/policing. > > > Ah, because Cisco does either of these in hardware? Yes, they do, on the s720-3B and better. Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Mon, Aug 25, 2008 at 7:26 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: >> 1) Reliability > > Very good. Across our entire business we've lost 1 RPM module in ~2 years. How many boxes in total? Losing a single routing engine in two years is not a bad MTBF, though I wonder if we're talking about one chassis or one thousand. >> 2) Performance > > [Note: we have no 10g interfaces, so I can only speak to a many-singleg-port > environment] > Much higher than Cisco. So good at dealing with traffic problems that we > have had multi-gig DoS attacks that we wouldn't have known about without > having an IDS running on a mirroring port. Routing n*GE at line rate isn't difficult these days, even with all 64-byte packets and other "DoS" conditions. Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) Now mind you, this is all traffic through the router. I'd imagine Force 10 would have a problem with traffic aimed at its interface or loopback IPs, given their lack of control plane policing/filtering, unlike say: http://aharp.ittns.northwestern.edu/papers/copp.html >> 3) Support staff (how knowledgeable are they?) > > Significantly higher than Cisco, and escalation is easier. On par with > Juniper. This is good, though not necessarily hard when you have a small pool of TAC people. Then again, I've always had a good support experience with Extreme, but I'm not about to run out and replace my core with Black Diamonds. :) > These things are so very solid that I rarely spend any time doing network > work any more. Gigabit line-speed BCP38 makes life easier for the abuse > helpdesk too. I'm unaware of any hardware-forwarding-based platforms which can't do this. Though if I find any, I'll be sure to steer clear! Paul Wall
Re: Force10 Gear - Opinions
"Then again, I've always had a good support experience with Extreme, but I'm not about to run out and replace my core with Black Diamonds. :)" I once worked at a place where we had BD 6808's at the core; one of them consistently had hardware issues, and it took me the better part of a year of fighting with Extreme to get them to replace the chassis, but when they did, the problems went away, imagine that. I suppose similar isolated incidents could happen with anyone occasionally though. Chris On Tue, Aug 26, 2008 at 3:26 AM, Paul Wall <[EMAIL PROTECTED]> wrote: > On Mon, Aug 25, 2008 at 7:26 PM, Jo Rhett <[EMAIL PROTECTED]> > wrote: > >> 1) Reliability > > > > Very good. Across our entire business we've lost 1 RPM module in ~2 > years. > > How many boxes in total? Losing a single routing engine in two years > is not a bad MTBF, though I wonder if we're talking about one chassis > or one thousand. > > >> 2) Performance > > > > [Note: we have no 10g interfaces, so I can only speak to a > many-singleg-port > > environment] > > Much higher than Cisco. So good at dealing with traffic problems that we > > have had multi-gig DoS attacks that we wouldn't have known about without > > having an IDS running on a mirroring port. > > Routing n*GE at line rate isn't difficult these days, even with all > 64-byte packets and other "DoS" conditions. > > Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 > switches sold at Fry's for a couple benjamins a pop. :) > > Now mind you, this is all traffic through the router. I'd imagine > Force 10 would have a problem with traffic aimed at its interface or > loopback IPs, given their lack of control plane policing/filtering, > unlike say: > > http://aharp.ittns.northwestern.edu/papers/copp.html > > >> 3) Support staff (how knowledgeable are they?) > > > > Significantly higher than Cisco, and escalation is easier. On par with > > Juniper. > > This is good, though not necessarily hard when you have a small pool > of TAC people. > > Then again, I've always had a good support experience with Extreme, > but I'm not about to run out and replace my core with Black Diamonds. > :) > > > These things are so very solid that I rarely spend any time doing network > > work any more. Gigabit line-speed BCP38 makes life easier for the abuse > > helpdesk too. > > I'm unaware of any hardware-forwarding-based platforms which can't do this. > > Though if I find any, I'll be sure to steer clear! > > Paul Wall > >
Re: Force10 Gear - Opinions
On Tue, 26 Aug 2008, Chris Riling wrote: I once worked at a place where we had BD 6808's at the core; one of them consistently had hardware issues, and it took me the better part of a year of fighting with Extreme to get them to replace the chassis, but when they did, the problems went away, imagine that. I suppose similar isolated incidents could happen with anyone occasionally though. If you've worked long enough, you will have had everything happen to you. I've had power supply problems where it was actually the SUP720-3BXL that was the issue (discovered after first replacing PSU, then chassis, then finally the SUP). We have a GSR where we have replaced everything so far (including chassis), problem still persists. What do to then? Ask to replace everything again but do this in one bang? Must be interesting to work as a TAC engineer, they must see a lot of weird things. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Force10 Gear - Opinions
Paul Wall wrote: On Fri, Aug 22, 2008 at 10:34 AM, Matlock, Kenneth L <[EMAIL PROTECTED]> wrote: Does anyone here have real-world experience with Force 10 gear (Specifically their E-Series and C-Series)? They came and did their whole dog and pony show today, but I wanted to get real-world feedback on their gear. I need to know about their 1) Reliability 2) Performance EANTC did a comprehensive study of the E-series: http://www.eantc.de/en/test_reports_presentations/test_reports/force_10_sfm_failover_video_ftos_6211.html http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/EANTC_Full_Report.pdf http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/Section_8.pdf Standard benchmarketing. Not that I blame Cisco or EANTC for that, since they were debunking some benchmarketing done by Force10 and Tolly, but consider the source (and follow the money) when reading any "independent" test and what that means for accuracy. 80% of the EANTC report can be summed up as "The default CAM profile didn't do what we wanted, and we didn't bother asking Force10 for the commands to make it work." There are indeed some interesting product weaknesses, like any vendor has, but the fact that Force10's CAM can be partitioned to match the buyer's needs, rather than having a fixed configuration that all customers are forced to use, is an advantage in my book. S (Disclosure: I am a former employee of both Cisco and Force10, but have no ties to either today.)
Re: Force10 Gear - Opinions
Standard benchmarketing. Not that I blame Cisco or EANTC for that, since they were debunking some benchmarketing done by Force10 and Tolly, but consider the source (and follow the money) when reading any "independent" test and what that means for accuracy. 80% of the EANTC report can be summed up as "The default CAM profile didn't do what we wanted, and we didn't bother asking Force10 for the commands to make it work." There are indeed some interesting product weaknesses, like any vendor has, but the fact that Force10's CAM can be partitioned to match the buyer's needs, rather than having a fixed configuration that all customers are forced to use, is an advantage in my book. Having delved a bit deeper into F10's "partitioning" scheme, actually, it's not as flexible as one might hope. There are a very small number of relatively large pages and you have to partition on page boundaries which leaves you with only limited flexibility when it comes to the CAM partitioning. Bottom line, in a few years, everyone carrying full tables with F10 gear will probably need to upgrade all of their line cards to quad-cam. Another thing to note (as near as I can tell, this applies to all vendors). All line cards will function only at the lowest common denominator line card CAM level. IOW, if you have single, dual, and quad-cam cards in your F10 chassis, they'll all act like single-CAM cards. Owen
Re: Force10 Gear - Opinions
On Aug 26, 2008, at 6:46 PM, Owen DeLong wrote: Another thing to note (as near as I can tell, this applies to all vendors). All line cards will function only at the lowest common denominator line card CAM level. IOW, if you have single, dual, and quad-cam cards in your F10 chassis, they'll all act like single-CAM cards. Owen I'd have to second that. This is a very annoying fact, that you will find mentioned nowhere. What I also used to dislike is the lack of verbosity of 'show features' - but that was back a year ago. Btw, you absolutely want to avoid the S series, the CLI is a pain, and is not the same as the E or C series, and lacks many features. Price/10G port is interesting though, but not as much as with Arastra, if that's switching you're into. (never tested any such kits though...) My own 2 cents. Greg VILLAIN
Re: Force10 Gear - Opinions
The S series runs the same FTOS as the C and E series, as of a number of months ago. The only exception is the 2410, ie all 10G ports L2 only. -jim On Mon, Sep 1, 2008 at 3:19 AM, Greg VILLAIN <[EMAIL PROTECTED]> wrote: > > On Aug 26, 2008, at 6:46 PM, Owen DeLong wrote: >> >> Another thing to note (as near as I can tell, this applies to all >> vendors). All line cards will function >> only at the lowest common denominator line card CAM level. >> >> IOW, if you have single, dual, and quad-cam cards in your F10 chassis, >> they'll all act like >> single-CAM cards. >> >> Owen > > > I'd have to second that. This is a very annoying fact, that you will find > mentioned nowhere. > What I also used to dislike is the lack of verbosity of 'show features' - > but that was back a year ago. > Btw, you absolutely want to avoid the S series, the CLI is a pain, and is > not the same as the E or C series, and lacks many features. > Price/10G port is interesting though, but not as much as with Arastra, if > that's switching you're into. (never tested any such kits though...) > My own 2 cents. > > Greg VILLAIN > > >
Re: Force10 Gear - Opinions
Sort of... There are still some notable differences in behavior. Owen On Sep 1, 2008, at 5:47 AM, jim deleskie wrote: The S series runs the same FTOS as the C and E series, as of a number of months ago. The only exception is the 2410, ie all 10G ports L2 only. -jim On Mon, Sep 1, 2008 at 3:19 AM, Greg VILLAIN <[EMAIL PROTECTED]> wrote: On Aug 26, 2008, at 6:46 PM, Owen DeLong wrote: Another thing to note (as near as I can tell, this applies to all vendors). All line cards will function only at the lowest common denominator line card CAM level. IOW, if you have single, dual, and quad-cam cards in your F10 chassis, they'll all act like single-CAM cards. Owen I'd have to second that. This is a very annoying fact, that you will find mentioned nowhere. What I also used to dislike is the lack of verbosity of 'show features' - but that was back a year ago. Btw, you absolutely want to avoid the S series, the CLI is a pain, and is not the same as the E or C series, and lacks many features. Price/10G port is interesting though, but not as much as with Arastra, if that's switching you're into. (never tested any such kits though...) My own 2 cents. Greg VILLAIN
Re: Force10 Gear - Opinions
On Aug 25, 2008, at 8:29 PM, James Jun wrote: As a box designed with the enterprise datacenter in mind, the E- series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. Ah, because Cisco does either of these in hardware? Yes. PFC3 inside Supervisor 32, 720 and RSP 720 for Catalyst 6500/ Router 7600 series perform both of these features in hardware. The article mentioned in this thread compares Force10 E against the 6500 series. Sorry, I was on an installation with 6500s and 720s trying to do uRPF and it kept falling back to software and killing the units. What your reading has no reality in my experience. I've been told exactly the same about MPLS by someone I trust (and who would only speak based on real experience, not reading online articles) "It works kindof, but when it fails you lose the entire network". -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Aug 26, 2008, at 12:18 AM, Paul Wall wrote: They appear to be nonsense. They were bought and paid for by Cisco, and including nonsense things like "if you leave a slot open the chassis will burn up" as a decrement, which is also true in pretty much every big iron vendor. Current-generation Cisco and Juniper hardware don't seem to have this problem. Your statement doesn't match my experience. I don't think the "remove one SFM and all the others go offline" failure mode is commonplace among other vendors either. It is neither common nor even actual on Force10. I've pulled many an SFM ;-) They also deliberately detuned the force10 configuration. They re-ran the tests using the recommended configuration and got very different numbers -- which you can request from them, but they won't publish on the website. I'd be interested in seeing this. Mind putting them up somewhere and sharing the URL? Sorry, my day job doesn't include promoting anyone's gear or etc. Got other things need doing. Ask EATC and ask them about their ethics while you're at it. Based on what? For E and C series boxes, Cisco is never cheaper. S-series are a different story. I was comparing list pricing for the E-series up against Catalyst 6500, Supervisor 720-3BXL, 6700 blades with CFC... which I consider a fair comparison. For equivalent redundancy and ports, the Force10 is always cheaper - even just in list price. (on the E-series -- Cisco has some cheaper options than the S-series so I've heard - don't care) As a box designed with the enterprise datacenter in mind, the E- series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. Ah, because Cisco does either of these in hardware? Yes, they do, on the s720-3B and better. No, they don't. There are *no* *zero* providers doing line-speed uRPF on Cisco for a reason. Stop reading, start testing. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Aug 26, 2008, at 12:26 AM, Paul Wall wrote: Routing n*GE at line rate isn't difficult these days, even with all 64-byte packets and other "DoS" conditions. Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) Sorry, I thought you were serious. I didn't realize you were joking. Carry on. *plonk* -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: Force10 Gear - Opinions
> > > > Yes. PFC3 inside Supervisor 32, 720 and RSP 720 for Catalyst 6500/ > > Router > > 7600 series perform both of these features in hardware. The article > > mentioned in this thread compares Force10 E against the 6500 series. > > > Sorry, I was on an installation with 6500s and 720s trying to do uRPF > and it kept falling back to software and killing the units. What your > reading has no reality in my experience. uRPF was problematic back in PFC2 based platforms (i.e. SUP2) where it is further dependent upon unicast routes in FIB TCAM. uRPF currently works fine enough on PFC3 based sups, the only problem however is currently only "one or the other" mode is supported for the entire box, as opposed to per interface. For example, configuring loose-mode uRPF in one interface, then configuring a strict-mode in another will result in entire box behaving as strict-mode interface for all uRPF enabled interfaces. Other than this caveat, I never had problems with it. However, these uRPF issues are fully documented. Reading manuals and documentation should help you avoid getting into operational problems such as "kept falling back and killing the units" scenario. Control plane policing via cp-policer works quite well on pfc3 based 6500's. This is ofcourse a very important feature (more important than uRPF in today's internet IMO) that appears to be missing in f10 gear which is what Paul was saying earlier. james
Re: Force10 Gear - Opinions
On Aug 26, 2008, at 9:46 AM, Owen DeLong wrote: Bottom line, in a few years, everyone carrying full tables with F10 gear will probably need to upgrade all of their line cards to quad-cam. Why is this statement being limited to F10? It appears to be true of every vendor. But why quad-cam? The dual-cam cards have indecent amounts of storage. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Aug 31, 2008, at 11:19 PM, Greg VILLAIN wrote: What I also used to dislike is the lack of verbosity of 'show features' - but that was back a year ago. Much improved in the last 2 years. Btw, you absolutely want to avoid the S series, the CLI is a pain, and is not the same as the E or C series, and lacks many features. The old HP-CLI they used is gone, it's a full FTOS now. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 3, 2008, at 5:30 PM, James Jun wrote: uRPF was problematic back in PFC2 based platforms (i.e. SUP2) where it is further dependent upon unicast routes in FIB TCAM. uRPF was untenable on SUP2, not problematic. It wasn't possible above ... 3mb/sec? Guys, this isn't SOHO routing here. If you can't take a single gig interface at full burst with your feature, you don't have it. uRPF currently works fine enough on PFC3 based sups, the only problem however is currently only "one or the other" mode is supported for the entire box, as opposed to per interface. For example, configuring loose-mode uRPF in one interface, then configuring a strict-mode in another will result in entire box behaving as strict-mode interface for all uRPF enabled interfaces. Other than this caveat, I never had problems with it. That's one hell of a caveot, given that you always want strict on your customers and loose on your transit links. However, these uRPF issues are fully documented. Reading manuals and documentation should help you avoid getting into operational problems such as "kept falling back and killing the units" scenario. This statement is patently false. The uRPF failures I dealt with were based entirely on the recommended settings, and were confirmed by Cisco. Last I heard (2 months ago) the problems remain. Cisco just isn't being honest with you about them. Control plane policing via cp-policer works quite well on pfc3 based 6500's. This is ofcourse a very important feature (more important than uRPF in today's internet IMO) that appears to be missing in f10 gear which is what Paul was saying earlier. Based on what? Other than some idea of "um, we can't meet BCP38 so lets call it unimportant?" -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
This is an awesome thread... in the 18mts I tested F10 vs Juniper vs Cisco I need see my Cisco sales rep push this hard :) On Wed, Sep 3, 2008 at 9:32 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: > On Aug 26, 2008, at 9:46 AM, Owen DeLong wrote: >> >> Bottom line, in a few years, everyone carrying full tables with F10 gear >> will probably need to >> upgrade all of their line cards to quad-cam. > > > Why is this statement being limited to F10? > > It appears to be true of every vendor. > > But why quad-cam? The dual-cam cards have indecent amounts of storage. > > -- > Jo Rhett > Net Consonance : consonant endings by net philanthropy, open source and > other randomness > > > >
Re: Force10 Gear - Opinions
On Wed, Sep 3, 2008 at 5:38 PM, jim deleskie <[EMAIL PROTECTED]> wrote: > This is an awesome thread... in the 18mts I tested F10 vs Juniper vs > Cisco I need see my Cisco sales rep push this hard :) it's easy to push this hard when you have empirical evidence on your side but seriously, this is definitely a f10-nsp list thread and that place could use some love
Re: Force10 Gear - Opinions
> This statement is patently false. The uRPF failures I dealt with were based > entirely on the recommended settings, and were confirmed by Cisco. Last I > heard (2 months ago) the problems remain. Cisco just isn't being honest > with you about them. Would you mind telling us what is the scenario so we can avoid it ? Rubens
Re: Force10 Gear - Opinions
On Wed, Sep 3, 2008 at 8:29 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: > On Aug 26, 2008, at 12:26 AM, Paul Wall wrote: >> >> Routing n*GE at line rate isn't difficult these days, even with all >> 64-byte packets and other "DoS" conditions. >> >> Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 >> switches sold at Fry's for a couple benjamins a pop. :) > > Sorry, I thought you were serious. I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. I'll be correcting your other posts shortly! Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Sep 3, 2008, at 8:36 PM, Jo Rhett wrote: That's one hell of a caveot, given that you always want strict on your customers and loose on your transit links. Personally I have always avoided combining customers and transit providers on the same routers in ISP environments. Brian
Re: Force10 Gear - Opinions
Paul Wall wrote: > On Wed, Sep 3, 2008 at 8:29 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: >> On Aug 26, 2008, at 12:26 AM, Paul Wall wrote: >>> Routing n*GE at line rate isn't difficult these days, even with all >>> 64-byte packets and other "DoS" conditions. >>> >>> Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 >>> switches sold at Fry's for a couple benjamins a pop. :) >> Sorry, I thought you were serious. > > I am. All of these boxes can forward packets at line rate, and list > for a fraction of the price of the Force 10 S-Series. a dlink dsg-3627g is a quite a few benjamins... but given that switch asics for said class of products are widely available and cheap, the difference between vender a and vendor b in that class of switch is futher up in the software stack. > I'll be correcting your other posts shortly! > > Drive Slow, > Paul Wall >
Re: Force10 Gear - Opinions
On Wed, Sep 3, 2008 at 8:28 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: > For equivalent redundancy and ports, the Force10 is always cheaper - even > just in list price. (on the E-series -- Cisco has some cheaper options than > the S-series so I've heard - don't care) Some food for thought, comparing apples to apples... FORCE 10 * CH-E300-BNA8-L $35,000.00 E300 110V AC Terascale Chassis Bundle: 6-slot E300 chassis with 400 Gb backplane, fan subsystem, 3 AC Power Supplies (CC-E300-1200W-AC) 1 Route Processor Module (EF3), 2 Switch Fabric Modules LC-EF3-1GE-24P $30,000.00 E300 Terascale 24-port Gigabit Ethernet line card - SFP optics required (series EF3) CC-E300-1200W-AC $4,000.00 E300 1200W/800W AC Power Supply CC-E-SFM3 $12,500.00 E-Series Switch Fabric Module LC-EF3-RPM $30,000.00E300 Terascale Route processor module (series EF3) ** BASIC CONFIG WITH 24 GIG-E (SFP PORTS): $65000.00 (USD) ** CISCO WS-C6503-E Catalyst 6500 Enhanced 3-slot chassis,4RU,no PS,no Fan Tray 2500 WS-SUP720-3BXL= Catalyst 6500/Cisco 7600 Supervisor 720 Fabric MSFC3 PFC3BXL 4 WS-X6724-SFP= Catalyst 6500 24-port GigE Mod: fabric-enabled (Req. SFPs) 15000 WS-CAC-3000W= Catalyst 6500 3000W AC power supply (spare) 3000 PWR-950-DC= Spare 950W DC P/S for CISCO7603/Cat 65031245 WS-C6503-E-FAN= Catalyst 6503-E Chassis Fan Tray495 ** BASIC CONFIG WITH 24 GIG-E (SFP PORTS) (not counting two bonus ports on Sup :) 62240.00 (USD) ** Please realize that the above is list vs. list. Cisco 6500 series hardware is extremely popular in the secondary market, with discounts of 80% or greater on linecards, etc common, furthering the argument that Cisco is the cheaper of the two solutions. As a box designed with the enterprise datacenter in mind, the E-series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. >>> >>> Ah, because Cisco does either of these in hardware? >> >> Yes, they do, on the s720-3B and better. > > No, they don't. There are *no* *zero* providers doing line-speed uRPF on > Cisco for a reason. Stop reading, start testing. Cisco absolutely does MPLS and control-plane policing in hardware on the SUP720 (3B and higher), ditto uRPF. Force 10 doesn't even support the first two last I checked! On the subject of uRPF, it's true, Cisco's implementation is less than ideal, and is not without caveats. Nobody seems to get this right, though Juniper tries the hardest. Practically speaking, it can be made to work just fine. Possible solutions commonplace among larger tier 1/2 providers include having your OSS auto-generate an inbound access-list against a list of networks routed to the customer, or just applying a boilerplate "don't allow bad stuff" filter on the ingress. uRPF strict as a configuration default, on customers without possible asymmetry (multihoming, one-way tunneling, etc) is not a bad default. But when the customers increase in complexity, the time might come to relax things some. It's certainly not a be-all-end-all. And it's been demonstrated time after time here that anti-spoof/bogon filtering isn't even a factor in most large-scale attacks on the public Internet these days. Think massively sized, well connected, botnets. See also CP attacks (which, again, the F10 can't even help you with). Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Thursday 04 September 2008 15:47:01 Paul Wall wrote: > uRPF strict as a configuration default, on customers > without possible asymmetry (multihoming, one-way > tunneling, etc) is not a bad default. But when the > customers increase in complexity, the time might come to > relax things some. It's certainly not a be-all-end-all. Our experience with uRPF has been some unpleasant badness when dealing with a few private peers. Our private peering routers don't hold full routes (naturally), so we had to relax (even) the loose-mode uRPF scheme we had for this because some of our peers were leaking our routes to the Internet. Customer-facing, strict-mode uRPF is standard practice across the board for all customers single-homed to us. Customers for whom we know have multiple connections get loose-mode uRPF. For good measure, each edge router has outbound ACL's on the core-facing interfaces catching RFC 1918 and RFC 3330 junk. On border (transit) routers, we employ loose-mode uRPF with no issues, since these carry a full table. In addition, we catch inbound RFC 1918 and RFC 3330 with ACL's; and just to see how crazy things get, we stick our own prefixes in there since we really shouldn't be seeing them as sources from the wild. It's quite interesting how many matches we log, particularly for own addresses, on transit and peering links. Of course, the RFC 1918 and RFC 3330 are not without increment as well. No filtering in the core. Cheers, Mark. signature.asc Description: This is a digitally signed message part.
Re: Force10 Gear - Opinions
Paul Wall wrote: Please realize that the above is list vs. list. Cisco 6500 series hardware is extremely popular in the secondary market, with discounts of 80% or greater on linecards, etc common, furthering the argument that Cisco is the cheaper of the two solutions. Secondary market prices aren't a fair measure, unless you include the corresponding cost for software and support. And the fact is, when we put this out for an RFP, we ended up with Force10 having the lowest price by a fair margin; the closest competitor in price was Foundry, with Cisco a distant third. List prices aren't a good measure o actual price; they're a number for salesmen to compare their discount to to make people feel special. In short: You can get the Force10 cheap.
RE: Force10 Gear - Opinions
> uRPF strict as a configuration default, on customers without possible > asymmetry (multihoming, one-way tunneling, etc) is not a bad default. > But when the customers increase in complexity, the time might come to > relax things some. It's certainly not a be-all-end-all. And it's > been demonstrated time after time here that anti-spoof/bogon filtering > isn't even a factor in most large-scale attacks on the public Internet > these days. Think massively sized, well connected, botnets. See also > CP attacks (which, again, the F10 can't even help you with). Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). james
Re: Force10 Gear - Opinions
On Sep 3, 2008, at 8:45 PM, Paul Wall wrote: Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. You and I (and any real network operator) must have different definitions of "forward at line rate". -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 12:47 AM, Paul Wall wrote: Some food for thought, comparing apples to apples... FORCE 10 * CH-E300-BNA8-L $35,000.00 E300 110V AC Terascale Chassis Bundle: 6-slot E300 chassis with 400 Gb backplane, fan subsystem, 3 AC Power Supplies (CC-E300-1200W-AC) 1 Route Processor Module (EF3), 2 Switch Fabric Modules LC-EF3-1GE-24P $30,000.00 E300 Terascale 24-port Gigabit Ethernet line card - SFP optics required (series EF3) CC-E300-1200W-AC $4,000.00 E300 1200W/800W AC Power Supply CC-E-SFM3 $12,500.00 E-Series Switch Fabric Module LC-EF3-RPM $30,000.00E300 Terascale Route processor module (series EF3) ** BASIC CONFIG WITH 24 GIG-E (SFP PORTS): $65000.00 (USD) ** You added a third SFM3 which has no place to go in this chassis. So $52,500 versus $62,240 for the Cisco. Please realize that the above is list vs. list. Cisco 6500 series hardware is extremely popular in the secondary market, with discounts of 80% or greater on linecards, etc common, furthering the argument that Cisco is the cheaper of the two solutions. Then you need to add recertify cost, which isn't cheap. And given that you can purchase Force10 stuff *NEW* at 60% discount, you're pitting new against used for similar prices. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Thu, Sep 4, 2008 at 12:36 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) >>> > >> I am. All of these boxes can forward packets at line rate, and list >> for a fraction of the price of the Force 10 S-Series. > > > You and I (and any real network operator) must have different definitions of > "forward at line rate". "forwards a gig-e full of 64 byte packets, random src/dst, when you hook a smartbits/ixia up to it" is mine. What's yours? Mind you, this is probably one of the more useless metrics for vendor selection these days, and nobody has a major problem with it. Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Thu, Sep 4, 2008 at 12:40 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: > You added a third SFM3 which has no place to go in this chassis. No, I did not. I did, however, list it as a point of reference for a-la-carte analysis. > So $52,500 versus $62,240 for the Cisco. No, $65000.00 vs $62240.00. > Then you need to add recertify cost, which isn't cheap. And given that you > can purchase Force10 stuff *NEW* at 60% discount, you're pitting new against > used for similar prices. Yes and no. Level3 might have an aversion to running random refurbs in production (just using them as an example, they also might not :). Smaller hosting or SP shop represented on the list, "not so much". And 60 points off Cisco is possible, even for small shops with some negotiating ability. Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:03 AM, Paul Wall wrote: You and I (and any real network operator) must have different definitions of "forward at line rate". "forwards a gig-e full of 64 byte packets, random src/dst, when you hook a smartbits/ixia up to it" is mine. What's yours? Forwards a mixed bag of small and large packets from tens of thousands of streams (not random) 1. at sub-millisecond latency 2. no packet loss at full line rate on multiple ports 3. deals appropriately with multiple ports at full line rate leading to a single port And finally, is responsive to operator control even when full line rate is directed at switch itself. Note the "not random" comment. People love to use the random feature of ixia/etc but it rarely displays actual performance in a production network. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:07 AM, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:40 PM, Jo Rhett <[EMAIL PROTECTED]> wrote: You added a third SFM3 which has no place to go in this chassis. No, I did not. I did, however, list it as a point of reference for a-la-carte analysis. So $52,500 versus $62,240 for the Cisco. No, $65000.00 vs $62240.00. I have a current spreadsheet here, and trust me your math went wrong somewhere. A completely full chassis is only a bit more than what you are quoting (at list) and the chassis itself is practically free. But no, I'm not going to redo the math. I'm not a F10 salesperson and I have much more important things to do right now. (not trying to be rude, just seriously...) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
> > And 60 points off Cisco is possible, even for small shops with some > negotiating ability. That's not our experience; it seems that BUs protecting margins talk louder than the sales guys, so when it reaches discounts like that, even because of lack of adequate product from Cisco (lower gear can't handle it, big gear is too expensive), the competition winning is worse to Cisco but better to the BU numbers, so they leave it to that. Rubens
Re: Force10 Gear - Opinions
I've recently seen Cisco, loose an approx ~$1MM deal at an all Cisco shop to Force10 Cisco wouldn't better mid 40's discount. On Thu, Sep 4, 2008 at 2:23 PM, Rubens Kuhl Jr. <[EMAIL PROTECTED]> wrote: >> >> And 60 points off Cisco is possible, even for small shops with some >> negotiating ability. > > That's not our experience; it seems that BUs protecting margins talk > louder than the sales guys, so when it reaches discounts like that, > even because of lack of adequate product from Cisco (lower gear can't > handle it, big gear is too expensive), the competition winning is > worse to Cisco but better to the BU numbers, so they leave it to that. > > Rubens > >
Re: Force10 Gear - Opinions
Jo Rhett wrote: > Note the "not random" comment. People love to use the random feature of > ixia/etc but it rarely displays > actual performance in a production network. Once upon a time, vendors released products which relied on CPU-based "flow" setup. Certain vintages of Cisco, Extreme, Foundry, Riverstone, etc come to mind. These could forward at "line rate" under normal conditions. Sufficient randomization on the sources and/or destinations (DDoS, Windows worm, portscans, ...) and they'd die a spectacular death. Nowadays, this is less of a concern, as the higher-end boxes can program a full routing table (and then some) worth of prefixes in CAM. Either way, I think it's a good test metric. I'd be interested in hearing of why you think that's not the case. Back on topic, doing a couple of gigs of traffic at line rate is a walk in the park for any modern product billed as a "layer 3 switch". The differentiator between, say, a Dell and a Cisco, is in the software and profoundly not the forwarding performance. Jo Rhett wrote: >> No, $65000.00 vs $62240.00. > > I have a current spreadsheet here, and trust me your math went wrong > somewhere. A completely full chassis is only a bit more than what you are > quoting (at list) and the chassis itself is practically free. > > But no, I'm not going to redo the math. I'm not a F10 salesperson and I > have much more important things to do right now. I'd be interested in seeing where I went "wrong", in the interest of setting the record straight. The original poster was interested in how Force 10 stacks up against the competition from a feature and price prospective. He deserves some cold science, and I'm trying to help him out. To wit, you said F10 is cheaper than a comparable Cisco 6500 (in a basic gig-e configuration). I demonstrated that's not the case. You responded with ad-hominem attacks, followed by indifference, and later, claims of emotional distress; still you refuse to provide any hard numbers, claiming it's "not your job". Where I come from, people like that are referred to as sore losers. :) Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Fri, Sep 5, 2008 at 2:37 PM, Paul Wall <[EMAIL PROTECTED]> wrote: > Jo Rhett wrote: >> Note the "not random" comment. People love to use the random feature of >> ixia/etc but it rarely displays >> actual performance in a production network. > > Once upon a time, vendors released products which relied on CPU-based > "flow" setup. Certain vintages of Cisco, Extreme, Foundry, > Riverstone, etc come to mind. These could forward at "line rate" > under normal conditions. Sufficient randomization on the sources Jo, As Paul eludes, the measure of 'worth' today has moved from bits/sec to one of 'operations per second' - where 'operation' could be many different types of work. The 'ideal router' should be able to execute administrative policy, scheduling, queuing, and of course, route lookup and next-hop determination in as close to constant-time as possible without regard for the packet or traffic composition. This means that regardless the makeup or nature of the packet, the device is able to do the same number of lookups with 10, 1000, or 1,000,000 routes in its FIB. Commonly this is done through CAM and TCAM or in RAM using various data structures that exhibit efficient traversal and lookup behaviors. I would invite you to research these independently, as there is a sizable body of work to review (ultimately this work is a class of search/sort problem). Today we find most CAM based systems no longer are interesting insofar as their raw forwarding performance; nearly every feature that can be implemented in hardware will generally exhibit the same scaling and performance behaviors as regular IP forwarding. The same generally holds true for RAM-based systems, though implementations vary by vendor (i.e. juniper IP-I/IP-II vs. MX-series distributed CAM) and can preclude certain combinations of work being performed on the packet during forwarding. Bottom line: it's not bits/sec, it's ops/sec. -Tk
Re: Force10 Gear - Opinions
On Sep 5, 2008, at 12:37 PM, Paul Wall wrote: Jo Rhett wrote: Note the "not random" comment. People love to use the random feature of ixia/etc but it rarely displays actual performance in a production network. Once upon a time, vendors released products which relied on CPU-based "flow" setup. Certain vintages of Cisco, Extreme, Foundry, Riverstone, etc come to mind. These could forward at "line rate" under normal conditions. Sufficient randomization on the sources and/or destinations (DDoS, Windows worm, portscans, ...) and they'd die a spectacular death. Nowadays, this is less of a concern, as the ... Either way, I think it's a good test metric. I'd be interested in hearing of why you think that's not the case. Back on topic, doing a Yes. And those problems were fixed in most gear. What I found *also* was that the flow tables tended to fill up, and a lot of gear thrashes on the flow tables. You need real bi-directional sessions to create the effect properly in many cases. (ie Extreme, which handles random fine but bidirectional flows proved that too much of the work was being done in software) I have a current spreadsheet here, and trust me your math went wrong somewhere. A completely full chassis is only a bit more than what you are ... But no, I'm not going to redo the math. I'm not a F10 salesperson and I have much more important things to do right now. I'd be interested in seeing where I went "wrong", in the interest of setting the record straight. The original poster was interested in how Force 10 stacks up against the competition from a feature and price prospective. He deserves some cold science, and I'm trying to help him out. I meant what I said, and I wasn't trying to be rude. There are F10 people on this mailing list, it would serve you to engage them instead of me. I'm quite happy with my Force10 units but I'm not making any commission selling them and I have too much to do to be doing someone else's job. To wit, you said F10 is cheaper than a comparable Cisco 6500 (in a basic gig-e configuration). I demonstrated that's not the case. You responded with ad-hominem attacks, followed by indifference, and later, claims of emotional distress; still you refuse to provide any hard numbers, claiming it's "not your job". Where I come from, people like that are referred to as sore losers. :) You're reading a lot more into it than I bothered to think about it. I've done the math repeatedly, and Force10 always comes out cheaper than Cisco in that scale of port density. Your numbers looked off to me, but letting you know the previous sentence is about all the time I can spend on this topic. Can we kill this now? Thanks. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
