[c-nsp] Modern BGP peering border router and DDoS attack
defense recommendations?
Nick Shah
Nick.Shah at aapt.com.au
Wed Jun 8 22:38:45 EDT 2005
Sam
Answers inline
> What is the minimum router these days to peer with other AS's?
We have successfully used a 7206VXR NPE-G1 with 512MB RAM with 2 x full
BGP feeds & a couple STM1's worth of traffic.
Decision to use a platform should also take into account the amount of
traffic traversing the router, interfaces/modules, scalability etc.
needed.
IMHO a practical limit would be 600MB (Ingress & Egress) with reasonable
number of bells (Netflow, CAR etc.) turned on.
At around 12-13K USD (depending on your discount) it should give good
price/performance benefits.
Generally speaking a 7200 is a swiss army knife among routers, not too
small for an ISP edge router, and not to big for an enterprise and
offers virtually every interface support needed (DS0 right upto STM1,
GIGE etc.)
>Initial bandwidth needs would be similar, however, this will scale
significantly (sales-driven), not to mention DDoS protection.
> What access speed and router can withstand a DDoS attack these days,
assuming appropriate security measures are taken (CAR, NBAR, bogon
filters, etc)?
No access speed or router can withstand a DDoS, if not planned
appropriately. It would depend on whats the target of the attack,
whether its directed towards an interface on the router & what means of
mitigation you have in place & what specific IP options are turned on in
DDOS packets.
Several mitigation tactics have been discussed in ISP essentials paper
available somewhere on CCO. Couple that with bit bins, route servers to
nullroute & drop packets at the edges (border router), RACL's etc. and
you should be reasonably ok.
Ps. The only feature that I havent turned on is NBAR (because we are an
SP, we deal in L3)
HTH
Nick
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
More information about the cisco-nsp
mailing list