[c-nsp] Modern BGP peering border router and DDoS attack defense
recommendations?
sthaug at nethelp.no
sthaug at nethelp.no
Fri Jun 10 03:52:13 EDT 2005
> Given Ethernet physical connectivity ... would a 3750, 4948, 6500, etc make
> more sense as a "border router" than a say 7200, 7600 etc... DDoS is the
> primary concern, followed closely by cost... if a 3750 switch used as the
> border router/switch to a BGP peer will fall over under and moderate to
> medium DDoS attack vs. a 7200 vs a 6500/7600 ... better to buy the 7200
> router or 7600 router....
You're mixing a lot of apples and oranges here.
A 3750, used for L3, will handle *far* more pps than a 7200. On the
other hand, it won't take a full Internet routing table. 6500 vs 7600
is marketing.
A suitable DDoS attack (lots of small packets) will kill most software
based router *before* the actual link capacity is reached. So - add
hardware based forwarding, and you can handle attacks up to the link
capacity.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list