[c-nsp] Your opinions on router throughput
Jon Lewis
jlewis at lewis.org
Fri Oct 27 08:03:12 EDT 2006
On Thu, 26 Oct 2006, Ted Mittelstaedt wrote:
> I'll take it as a given that a compromised system on the 100 baseT
> lan port on VXR could, by sending lots of small packets destined to
> the router interface, take down any NPE available for the
It doesn't have to be destined to the router interface. Just trying to
send the packets through the router will overload the NPE. I just dealt
with such a situation a few nights ago (compromised customer hanging off a
2900XL switch connected to a VXR with NPE300). The only way I could log
in or use the CLI was by unplugging the ethernet. Each time I plugged the
ethernet back into the router, pretty much as soon as line protocol came
up, the CLI went dead. I could see from show ip cache flow, that the
packets were to be routed...not an attack against the router itself.
> 7206 VXR chassis. That is a good point of course, but I am
> not sure that any large backbone networks on the Internet size
> their routers so as to be able to withstand a sustained beating
> by a device that is directly connected to them via 100baseT or
> gigabit ethernet.
Perhaps not, but the hardware forwarding systems (i.e. 7600) will forward
such traffic without breaking a sweat.
> Would this really be switched through the NPE? I had thought
> that CEF make the flows go from card to card over the internal
> router bus, not through the CPU.
AFAIK on the 7200, all forwarding is handled by the NPE...otherwise
you wouldn't see the CPU load increase with increased traffic levels.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list