[c-nsp] Cisco Infra DDOS Protection
Dobbins, Roland
rdobbins at arbor.net
Sat Sep 22 20:02:45 EDT 2012
On Sep 21, 2012, at 11:49 PM, ar wrote:
> What could be a good replacement for 7600s to overcome this limitation? ASR9K?Nexus7K?
You don't have to replace the box. Just replace the supervisor with a Sup2T and upgrade any DFC3 linecards to DFC4s (CFC linecards are fine).
> I am still researching as to why 7600 sucks on this.
No research is needed - it's because the EARL7 only has room for ~256K simultaneous mls cache entries at ~93% efficiency, and because it doesn't support packet-sampled control of flow generation (otherwise known as 'sampled NetFlow) - only ex post facto NDE output sampling. It also doesn't provide a logical OR of all TCP flags seen during the course of a TCP flow, nor does it report statistics on dropped traffic.
Sup2T and DFC4s are based on EARL8 - same ASIC used in the N7K - which fixes all these issues.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list