Hi,
On Mon, Mar 19, 2001 at 01:28:08PM -0500, George Robbins wrote:
> It may vary depending on the architecuture.
>
> My learning experience was on a 3640, which had been stable, but started
> maxing out CPU days after I'd turned on IP accounting with a large number
> of entries and forgotten about it. It was doing mostly newsfeeds and
> getting news traffic from one of the "newer" entries in the list would
> max out the CPU.
>
> More recent experience during attacks seems to confirm a fairly direct
> linkage bettween the size of the accounting list and CPU utiization/
> survivability.
Ah - this may very well be. We don't use the accounting list at all - we
have to do ip accounting for *all* traffic that passes through our
network, legitimate traffic (customers) and illegitimate (something people
dump at us at exchange points, for example).
If there would be a way to make entries like
195.30.0.1 <foreign> 17 12314
<foreign> 195.30.0.1 28 12334
<foreign> <foreign>
(<foreign> being shown for every entry not on the ip accounting list)
then using the ip accounting list would make much more sense for us.
[..]
> Ip accounting is fairly useless except as a debugging tool,
Umm, actually, it works nicely for exactly that: ip accounting :-)
> it would
> be nice if you could specify a source/dest mask so that you could
> bucket by class-C (for example) vs. specific addresses.
This can be done with Netflow, but the problem with netflow is the way
the data is exported (UDP - if the collector host is down, or a link
in between is saturated, you drop accounting packets, that is, drop
money...).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT