[c-nsp] pricing vs performance

sthaug at nethelp.no sthaug at nethelp.no
Wed Dec 1 18:01:11 EST 2004


> > At my previous employer we had generally good experience using 6500
> > with Sup2/MSFC2/PFC2 as border routers. Lots of DoS attacks, even Gbps
> > sized ones, and the boxes survived. Note that this depends on good ACLs
> > and/or rate limiting to make sure that the DoS traffic doesn't hit any
> > of the IP addresses of the box itself.
> >
> 
> FWIW a C6500/7600 with Sup720s can do control plane policing in
> hardware, so you could protect against a direct attack on the box.

Yup, but when I worked with these boxes the only control plane policing
available was ACLs and rate limiting based on the IP addresses of the
box. It was quite obvious to us that this was indeed implemented in
hardware. A real PITA to maintain (because of all the IP addresses),
but doable with sufficient scripting.

Nowadays I mostly work with Junipers, and policing/ACLing the traffic
to the loopback interface is an extremely convenient way of doing it.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the cisco-nsp mailing list