[c-nsp] do i *need* DFCs on the 6500?

David Prall dcp at dcptech.com
Wed Sep 2 13:21:34 EDT 2009


Drew,
Have a look at using "mls rate-limit all ttl-failure"

Here is a paper I worked on, more with an Enterprise feel.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper
_c11_553261.html

David

--
http://dcp.dcptech.com
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Drew Weaver
> Sent: Wednesday, September 02, 2009 8:48 AM
> To: 'Justin Shore'; Alan Buxey
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] do i *need* DFCs on the 6500?
> 
> Not to thread hijack here, but speaking of withstanding DoS attacks,
> has anyone seen any decent published baseline configurations for CoPP
> to deflect things similar to TTL Expiry attacks and the like? Perhaps
> some sort of template they use (if they can share it) would be really
> nice.
> 
> I would just like to see what others are doing.
> 
> -Drew
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Wednesday, September 02, 2009 8:40 AM
> To: Alan Buxey
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] do i *need* DFCs on the 6500?
> 
> You eluded to one of my strongest selling points on DFCs though I don't
> think you made that particular connection yet.  DFCs offload QoS to the
> LC as you said.  That also means that CoPP is also handled in hardware
> if you have DFCs in place since it requires MLS QoS on that platform.
> Ie, if your 6500/7600 is going to be publicly-accessible on the
> Internet
> in any capacity and you want it to be able to use CoPP to withstand a
> targeted DoS attack then DFCs are not optional, they're critical.
> 
> The others on the list can probably give you much more in-depth views
> on
> the other aspects of the card but I found CoPP to be a big enough
> selling point.  It wouldn't be good is a simple little DoS attack took
> down my core 7600s.
> 
> Justin
> 
> 
> Alan Buxey wrote:
> > hi,
> >
> > okay, from the background of I know what the DFC is and how it
> > operates etc... i know I want them - however, I need to justify
> > the upgrade/part cost to sort out a couple of 6500's.  in some of
> > our 6500's, the 10G blades have DFCs already...but several 6724's
> dont
> > (they just have CFC). ...as i said, I want them, but need to get
> > some management/funding buy-in - and they dont want the 'what it
> > does' information - they want some hard and fast facts that Cisco
> dont
> > sem to want to tell me ..... so, the question is
> >
> > 1) is there any way of showing the sup720
> strain/utilisation...particularly
> > is there a way of showing DFC usage on the blades where we have them?
> >
> > 2) it offloads IPv6 and QoS - we're into both of those (and more so
> over the
> > next year) - any particular insights into QoS performance/issues
> without
> > DFC ? any throughput figures for IPv6 ?
> >
> > (i know that with CFC we're limited to the backplane (32mpps?) and we
> get ~ 48mpps
> > per blade with DFC)
> >
> > ...or could it be that DFC's are only really useful to a particular
> deployment
> > and I just *think* i need them?  ;-)
> >
> > alan
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list