[c-nsp] Help, one 160kbit/s DSL killing my 7206
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Mar 21 09:24:36 EST 2005
Matthew Crocker <> wrote on Monday, March 21, 2005 3:12 PM:
>> I turned off the debug logging because I thought the logging
>> must be what put the router on its knees, but when I let the
>> client log on again (he has to update his antivirus...) all the
>> DSL lines fall down again (didn't check ping, CPU seems normal
>> on the history, but the problem was fixed sooner though). I'm
>> not going to remove the reverse-path verification!
>
> Put an ACL on the outbound port of your 7206 to only allow your
> subnets out. Then you can safely remove the reverse-path stuff. The
> ACL on the outbound Ethernet should use less CPU than the
> reverse-path on each Virtual-Interface.
I'd question this statement. Both features affect the forwarding path,
so the performance impact grows linear to packets/sec (on software
platforms), rather than number of interfaces. If 1000 interfaces send 10
pps each, the router would need to perform uRPF on 10000 packets/second,
and would also apply the ACL on 10000 packets/second. My (educated)
guess is that uRPF has less impact on forwarding performance on a
software-based platform (7200, etc.) than even a short ACL...
oli
More information about the cisco-nsp
mailing list