[c-nsp] 2821, 2851, 3825, 3845 benchmarks or lack thereof.

Christopher J. Wolff chris at bblabs.com
Sat Jan 28 13:06:09 EST 2006


So if you had a clean sheet of paper, and since you are designing for
profitability reasons you were going to deploy a 3825 to terminate your two
DS3's at the edge.  Since the 3825 has no (D)DoS mitigation capabilities
what are you going to deploy in front of or behind it to handle DoS?  

-----Original Message-----
From: Łukasz Bromirski [mailto:lukasz at bromirski.net] 
Sent: Saturday, January 28, 2006 7:51 AM
To: cisco-nsp at puck.nether.net
Cc: Rubens Kuhl Jr.; Christopher J. Wolff
Subject: Re: [c-nsp] 2821, 2851, 3825, 3845 benchmarks or lack thereof.

Rubens Kuhl Jr. wrote:

> According to that Cisco document, yes. They calculated 87 Mbps with
> 64-byte packets, but based on pps numbers with no features.
> Unfortunately, they don't mention process switching performance for
> theses models, which you could use for a worst case
> router-under-attack scenario.

ISRs support control-plane policing[1] right from first IOS release,
which effectively defends router itself from any (D)DoS attacks.
Most of the functionality is fast/CEF-switched anyway.

[1].
Configuration:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
ter09186a00804559b7.html
Deploying:
http://www.cisco.com/en/US/products/ps6642/products_white_paper09186a0080211
f39.shtml

-- 
this space was intentionally left blank    |            Łukasz Bromirski
you can insert your favourite quote here   |        lukasz:bromirski,net




More information about the cisco-nsp mailing list