[c-nsp] Re: FE ignored errors
Jon Lewis
jlewis at lewis.org
Sun Dec 19 21:04:39 EST 2004
On Mon, 20 Dec 2004, Nick Shah wrote:
> What other PA exists on this VIP ? And what other VIP's (any VIP2-40's
> ?) Also, can you check the CpU util on the VIP itself ? Note that the
> CPU utilisation has lesser bearing on router performance but may impact
> latency, and it becomes a more linear curve when a per-packet processing
> services exist.
In most cases, nothing. Just 1 PA-FE-TX per VIP2-50 (with 128/8).
> For your nachi filters, I would rather replace it with a CAR with a rate
> limit of 128K or something sensible (depending on your external links)
> like that policing ICMP traffic. Hence eliminating per-packet processing
> done by POLICY ROUTING.
That would rate-limit the incoming nachi infection (assuming there's
infection still trying to get in and hosts on our network still
infectable). The way nachi work(s/ed), I would think that would be
equivalent to just dropping the filter altogether.
Is anyone else still (ever?) doing nachi or SQL slammer filtering at their
borders?
> We had a similar issue with a VIP4-80 on a 7500, which had a
> PA-A3-OC3-SMI & PA-FE-TX. After extensive investigation, the problem was
> found to be related to the oversubscription of traffic exiting the
> router on exit VIP (which was a 2-40) - causing a bottleneck on the
> entry VIP (a VIP4-80).
With 1 FE per VIP2-50, I don't believe oversubscription is an issue.
Cisco claims the VIP2-50 can do:
100kpps switching capacity
400mbps aggregate bandwidth capacity
Typical pps for us on these interfaces is 10-30kpps.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list