[c-nsp] Your opinions on router throughput

Ted Mittelstaedt tedm at toybox.placo.com
Fri Oct 27 02:41:45 EDT 2006


The limiting is being done in other devices on the LAN side it is
not part of the BGP group of routers.

I'll take it as a given that a compromised system on the 100 baseT
lan port on VXR could, by sending lots of small packets destined to
the router interface, take down any NPE available for the
7206 VXR chassis.  That is a good point of course, but I am
not sure that any large backbone networks on the Internet size
their routers so as to be able to withstand a sustained beating
by a device that is directly connected to them via 100baseT or
gigabit ethernet.

Let's assume for the purposes of discussion that we are
talking an average packet size of 1000 bytes.  Nonwithstanding
of course that the PA-A3-T3 cards deal with 56 byte packets.
:-)

Would this really be switched through the NPE?  I had thought
that CEF make the flows go from card to card over the internal
router bus, not through the CPU.

Ted

----- Original Message ----- 
From: "Jon Lewis" <jlewis at lewis.org>
To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, October 26, 2006 10:24 PM
Subject: Re: [c-nsp] Your opinions on router throughput


> On Thu, 26 Oct 2006, Ted Mittelstaedt wrote:
>
> > OK here's the scenario:
> >
> > 2 Cisco 7206 VXR's.  First one has 3 high speed interfaces, a FE to
> > the local LAN that has customer connections, a FE running 30Mbt to
> > one Internet feed, and a PA-A3-T3 that is running 45Mbt to the second
VXR
> >
> > The second VXR has 3 high speed interfaces, a FE to the local LAN that
> > has customer connections, a PA-A3-T3 going to 10Mbt-burst-to-45Mbt
Internet
> > feed,
>
> You mentioned "bandwidth limiting" but didn't say where or how it's being
> done.  If there's nothing (like a policing switch) stopping them, one
> compromised customer machine can hit their local router with enough PPS
> over the FE to basically shut down the NPE300.  Even with a policing
> switch, I suspect a machine could send sufficient PPS without exceeding
> reasonable Mbit/s policing to put a serious hurting on the NPE300.
>
> ----------------------------------------------------------------------
>   Jon Lewis                   |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>



More information about the cisco-nsp mailing list