[c-nsp] Your opinions on router throughput

Jon Lewis jlewis at lewis.org
Fri Oct 27 08:03:12 EDT 2006


On Thu, 26 Oct 2006, Ted Mittelstaedt wrote:

> I'll take it as a given that a compromised system on the 100 baseT
> lan port on VXR could, by sending lots of small packets destined to
> the router interface, take down any NPE available for the

It doesn't have to be destined to the router interface.  Just trying to 
send the packets through the router will overload the NPE.  I just dealt 
with such a situation a few nights ago (compromised customer hanging off a 
2900XL switch connected to a VXR with NPE300).  The only way I could log 
in or use the CLI was by unplugging the ethernet.  Each time I plugged the 
ethernet back into the router, pretty much as soon as line protocol came 
up, the CLI went dead.  I could see from show ip cache flow, that the 
packets were to be routed...not an attack against the router itself.

> 7206 VXR chassis.  That is a good point of course, but I am
> not sure that any large backbone networks on the Internet size
> their routers so as to be able to withstand a sustained beating
> by a device that is directly connected to them via 100baseT or
> gigabit ethernet.

Perhaps not, but the hardware forwarding systems (i.e. 7600) will forward 
such traffic without breaking a sweat.

> Would this really be switched through the NPE?  I had thought
> that CEF make the flows go from card to card over the internal
> router bus, not through the CPU.

AFAIK on the 7200, all forwarding is handled by the NPE...otherwise 
you wouldn't see the CPU load increase with increased traffic levels.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list