[c-nsp] Nexus V1000 - Feedback?
Roland Dobbins
rdobbins at arbor.net
Wed Jun 10 21:16:00 EDT 2009
On Jun 10, 2009, at 9:32 PM, Maxwell Reid wrote:
> you really only need specialized ASIC's as part of the forwarding
> plane of high end routers.
When you're talking about DDoS, that's what's needed; general-purpose
CPUs on boxes running many different VM/OS/app stacks, or things like
ASAs don't cut it.
That's why you don't see stateful firewalling in front of major public-
facing properties; not only is it useless by definition in such
scenarios, in which every single incoming connection is unsolicited,
but it's a DDoS chokepoint due to the state instantiated and the
limited resources available.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
More information about the cisco-nsp
mailing list