[c-nsp] Cisco Infra DDOS Protection

Dobbins, Roland rdobbins at arbor.net
Sat Sep 22 20:02:45 EDT 2012


On Sep 21, 2012, at 11:49 PM, ar wrote:

> What could be a good replacement for 7600s to overcome this limitation? ASR9K?Nexus7K?

You don't have to replace the box.  Just replace the supervisor with a Sup2T and upgrade any DFC3 linecards to DFC4s (CFC linecards are fine).

> I am still researching as to why 7600 sucks on this.

No research is needed - it's because the EARL7 only has room for ~256K simultaneous mls cache entries at ~93% efficiency, and because it doesn't support packet-sampled control of flow generation (otherwise known as 'sampled NetFlow) - only ex post facto NDE output sampling.  It also doesn't provide a logical OR of all TCP flags seen during the course of a TCP flow, nor does it report statistics on dropped traffic.

Sup2T and DFC4s are based on EARL8 - same ASIC used in the N7K - which fixes all these issues.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list