[c-nsp] Modern BGP peering border router and DDoS attack defense
recommendations?
David J. Hughes
bambi at Hughes.com.au
Fri Jun 10 22:33:12 EDT 2005
On 10/06/2005, at 5:52 PM, sthaug at nethelp.no wrote:
>> Given Ethernet physical connectivity ... would a 3750, 4948, 6500,
>> etc make
>> more sense as a "border router" than a say 7200, 7600 etc... DDoS is
>> the
>> primary concern, followed closely by cost... if a 3750 switch used as
>> the
>> border router/switch to a BGP peer will fall over under and moderate
>> to
>> medium DDoS attack vs. a 7200 vs a 6500/7600 ... better to buy the
>> 7200
>> router or 7600 router....
>
> You're mixing a lot of apples and oranges here.
>
> A 3750, used for L3, will handle *far* more pps than a 7200. On the
> other hand, it won't take a full Internet routing table. 6500 vs 7600
> is marketing.
An approach we've used to get the best of both worlds is to terminate
the Telco GigE transit links at L2 onto switches and then pass through
to 7200s with NPE-G1's. We originally just used 2950G's as the "border
switches" and used their L3 ACL capabilities to filter the DDOS traffic
before it made it to the 7200. They did the job very well. We have
since upgraded them to 3550s for the more flexible L3 ACLs and they
give us everything we need - hardware based layer 3 ACL's in front of a
"real" router.
David
...
More information about the cisco-nsp
mailing list