[c-nsp] pricing vs performance
Ian Cox
icox at cisco.com
Wed Dec 1 18:25:54 EST 2004
Sup720 added many new control plane rate limiters (mls rate limit ...), and
with the 12.2(18)SXD1 release control plane policing was added to the 6500
and 7600 platforms for Supervisor 720.
Ian
At 12:01 AM 12/2/2004 +0100, sthaug at nethelp.no wrote:
> > > At my previous employer we had generally good experience using 6500
> > > with Sup2/MSFC2/PFC2 as border routers. Lots of DoS attacks, even Gbps
> > > sized ones, and the boxes survived. Note that this depends on good ACLs
> > > and/or rate limiting to make sure that the DoS traffic doesn't hit any
> > > of the IP addresses of the box itself.
> > >
> >
> > FWIW a C6500/7600 with Sup720s can do control plane policing in
> > hardware, so you could protect against a direct attack on the box.
>
>Yup, but when I worked with these boxes the only control plane policing
>available was ACLs and rate limiting based on the IP addresses of the
>box. It was quite obvious to us that this was indeed implemented in
>hardware. A real PITA to maintain (because of all the IP addresses),
>but doable with sufficient scripting.
>
>Nowadays I mostly work with Junipers, and policing/ACLing the traffic
>to the loopback interface is an extremely convenient way of doing it.
>
>Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list