Another neat feature of re-directs is that some unix systems, for
example SunOS 4.x store them as host routes in an mbuf pool of
fixed size. Have a couple of full-route routers on you network
and a nameserver which talks to the world and then see how often
the nameserver crashes.
As long as you have reasonable performance and bandwidth, it's
better to let the router do it's job, disable re-directs and
enable route-cache same-interface.
George
> From: Martin Cooper <mjc@cooper.org.uk>
> Subject: Re: [nsp] router capacity question
>
> Niels Bakker <niels@euro.net> wrote:
>
> > If you're not running CEF, isn't that the case only for packets
> > that don't get fast-switched, i.e. all except the first one in
> > a flow?
>
> No, I believe that isn't the case; _all_ packets in that flow are
> process switched (at least in the most archaic versions of IOS
> we're running - 11.2(8)P, and I believe in 11.2(13)P and 11.1(24)CC
> as well).
>
> > On FastEthernet interfaces with lots of secondary addresses I'd
> > rather waste bandwidth due to a machine not honouring or receiving
> > an ICMP redirect than waste CPU cycles on the router
>
> Me too - particularly since hosts (Windows 9x and Solaris 2.x in
> particular) ignore redirects for networks on which they do not
> have IP interfaces (for security - to avoid local spoofing attacks
> I believe).
>
> > (So it's only useful if you're not running CEF on a high-speed
> > interface... hmm, I can see cisco's reasoning for not making it
> > default to on, I think. ;)
>
> I believe that it should be the default for Ciscos without CEF
> support to avoid DoS attacks.
>
> M.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT