[c-nsp] 2948G replacement?
Gert Doering
gert at greenie.muc.de
Tue Aug 31 04:05:31 EDT 2004
Hi,
On Mon, Aug 30, 2004 at 03:16:08PM -0700, matthew zeier wrote:
> > If it's a 2948G, why is it affecte by DDoS? The management VLAN should
> > not be reachable by the outside world, so DDoSes should not be able to
> > affect the 2948G at all.
>
> If a host on a non-management VLAN gets infected with something like SQL
> Slammer and starts pushing out 90Mbps+, all other ports on that switch
> basically get hosed.
Interesting. We did have a fair number of SQL slammer hosts, and while
the uplink to the router got saturated enough to be unusable, the switches
itself (Cat5500 and 2948G) could cope very well.
> That or if one host starts spewing broadcast traffic
> then the switch is nearly useless.
Broadcast limiting (to some low percentage of interface bandwidth) works
well for us.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list