It may vary depending on the architecuture.
My learning experience was on a 3640, which had been stable, but started
maxing out CPU days after I'd turned on IP accounting with a large number
of entries and forgotten about it. It was doing mostly newsfeeds and
getting news traffic from one of the "newer" entries in the list would
max out the CPU.
More recent experience during attacks seems to confirm a fairly direct
linkage bettween the size of the accounting list and CPU utiization/
survivability. You can have a lot of entries in the list as long as
they're not being hit hard. Depending on the algorithm they're using,
"misses" (aka adds to the list) could be the most expensive operation
in terms of CPU utilization.
Ip accounting is fairly useless except as a debugging tool, it would
be nice if you could specify a source/dest mask so that you could
bucket by class-C (for example) vs. specific addresses.
George
> From cisco-nsp-request@puck.nether.net Mon Mar 19 13:15:12 2001
> Resent-Date: Mon, 19 Mar 2001 13:13:54 -0500
> Received-Date: Mon, 19 Mar 2001 13:09:19 -0500
> Date: Mon, 19 Mar 2001 19:09:16 +0100
> From: Gert Doering <gert@greenie.muc.de>
> To: George Robbins <grr@shandakor.tharsis.com>, gert@greenie.muc.de,
> marcus@ri.st, sthaug@nethelp.no
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] Experience with NSE-1 and IOS 12.0S?
> References: <200103191802.NAA18241@shandakor.tharsis.com>
> In-Reply-To: <200103191802.NAA18241@shandakor.tharsis.com>; from George Robbins on Mon, Mar 19, 2001 at 01:02:28PM -0500
> X-mgetty-docs: http://alpha.greenie.net/mgetty/
> Resent-From: cisco-nsp@puck.nether.net
> X-Mailing-List: <cisco-nsp@puck.nether.net> archive/latest/5744
> X-Loop: cisco-nsp@puck.nether.net
> Precedence: list
> Resent-Sender: cisco-nsp-request@puck.nether.net
>
> Hi,
>
> On Mon, Mar 19, 2001 at 01:02:28PM -0500, George Robbins wrote:
> > >From what I can see the problem with IP accounting is that the list
> > of IP address's isn't optimized (hash, tree, etc) so the more entries,
> > the more CPU used in IP input. You can totally screw yourself if
> > you specific a large number of entries and get a burst of traffic
> > for an IP near the end of the list or not in the list at all.
>
> Ummm, I don't think that's the main problem. As soon as the "attack"
> (that is: creation of new entries in heaps) stops, the router returns
> to normal operations.
>
> I have seen lists as long as 150.000 pairs with no significant impact on
> performance.
>
> > If you're under attack, setting the number of entries to a small
> > number (25-50 for example) before turning on IP accounting helps
> > avoid having to wait for the router to crash and reboot...
>
> Good advice. Thanks.
>
> (Though 25-50 means "I will lose our customer's IP traffic immediately" -
> a number of /16's involved).
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert@greenie.muc.de
> fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT