[c-nsp] pricing vs performance

Kim Onnel karim.adel at gmail.com
Wed Dec 1 17:54:43 EST 2004


true, but as Siva just said on the box, not to customers, 
those 40 - 200 kpps we've been getting on our 7609 have sure made all
them 7200s come to its knees, 7609 didnt, but anyway interface is
saturated, and there's a big chance all your BGP/mpls wont be able to
keep their keepalives, and so close down

but then again 7609 would provide you with the hardware ACLs, Most
powerful Netflow implementaion and features and from there you can
export the flows to a box to analyse, track down src/dst and blackhole
them to your upstream, so definitely 7609 is worth the consideration,

so if DDoS is one major key player at your comparison, make sure you
give CoPP/ACLs/Netflow more weight.

Regards,
~Kim

On Wed, 1 Dec 2004 14:38:41 -0800 (PST), Siva Valliappan
<svalliap at cisco.com> wrote:
> 
> 
> 
> 
> On Wed, 1 Dec 2004 sthaug at nethelp.no wrote:
> 
> > > What about the 6500/7600 platform?  We're in a similar boat.  We're using
> > > a mix of 7206s and 7500s for our core routers, and they generally deal
> > > with "normal" traffic well enough, but if someone points a DDoS at us,
> > > even the 7500s tend to roll over and play dead under sufficiently high
> > > values of kpps.  Having heard good things about them, and since our
> > > transit connections have all moved to FE, we're looking at possibly moving
> > > to 6500s with MSFC2s to handle the transit connections.
> >
> > At my previous employer we had generally good experience using 6500
> > with Sup2/MSFC2/PFC2 as border routers. Lots of DoS attacks, even Gbps
> > sized ones, and the boxes survived. Note that this depends on good ACLs
> > and/or rate limiting to make sure that the DoS traffic doesn't hit any
> > of the IP addresses of the box itself.
> >
> 
> FWIW a C6500/7600 with Sup720s can do control plane policing in
> hardware, so you could protect against a direct attack on the box.
> 
> cheers
> .siva
> 
> 
> 
> > Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
~Kim


More information about the cisco-nsp mailing list