[c-nsp] do i *need* DFCs on the 6500?

Drew Weaver drew.weaver at thenap.com
Wed Sep 2 08:48:22 EDT 2009


Not to thread hijack here, but speaking of withstanding DoS attacks, has anyone seen any decent published baseline configurations for CoPP to deflect things similar to TTL Expiry attacks and the like? Perhaps some sort of template they use (if they can share it) would be really nice.

I would just like to see what others are doing.

-Drew


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Wednesday, September 02, 2009 8:40 AM
To: Alan Buxey
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] do i *need* DFCs on the 6500?

You eluded to one of my strongest selling points on DFCs though I don't 
think you made that particular connection yet.  DFCs offload QoS to the 
LC as you said.  That also means that CoPP is also handled in hardware 
if you have DFCs in place since it requires MLS QoS on that platform. 
Ie, if your 6500/7600 is going to be publicly-accessible on the Internet 
in any capacity and you want it to be able to use CoPP to withstand a 
targeted DoS attack then DFCs are not optional, they're critical.

The others on the list can probably give you much more in-depth views on 
the other aspects of the card but I found CoPP to be a big enough 
selling point.  It wouldn't be good is a simple little DoS attack took 
down my core 7600s.

Justin


Alan Buxey wrote:
> hi,
> 
> okay, from the background of I know what the DFC is and how it
> operates etc... i know I want them - however, I need to justify
> the upgrade/part cost to sort out a couple of 6500's.  in some of
> our 6500's, the 10G blades have DFCs already...but several 6724's dont
> (they just have CFC). ...as i said, I want them, but need to get
> some management/funding buy-in - and they dont want the 'what it
> does' information - they want some hard and fast facts that Cisco dont
> sem to want to tell me ..... so, the question is
> 
> 1) is there any way of showing the sup720 strain/utilisation...particularly
> is there a way of showing DFC usage on the blades where we have them?
> 
> 2) it offloads IPv6 and QoS - we're into both of those (and more so over the
> next year) - any particular insights into QoS performance/issues without
> DFC ? any throughput figures for IPv6 ?
> 
> (i know that with CFC we're limited to the backplane (32mpps?) and we get ~ 48mpps
> per blade with DFC)
> 
> ...or could it be that DFC's are only really useful to a particular deployment
> and I just *think* i need them?  ;-)
> 
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list