[j-nsp] Juiper denial of service attacks...
Jared Mauch
jared at puck.nether.net
Sat Jan 10 22:09:48 EST 2004
Comparing a 6509 and a Juniper router is a somewhat interesting task.
*Very* different beasts.
While this may be entirely off-topic for the juniper-nsp list, I
thought i'd let you know a bit about the 6509 and how it does layer-3
forwarding.
The 6500 (depending on hardware configuration) can perform a few
different types of layer-3 forwarding..
Here's part of your matrix:
MFSC - MFSC (1, 2, 3)
Supervisor - Sup1, Sup1A, Sup2, Sup3 (aka sup720)
PFC - PFC, PFC2, PFC3A, PFC3B (not sure if it's released yet)
There are also some linecard features available, including:
DFC (distributed feature card) and a PoE choice for those that are
using rj-45 or rj-21 connectors to the stations/endpoints.
The 6500 does MLS (multi layered switching) in most configurations.
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_configuration_guide_chapter09186a008019f026.html
provides some information on MLS for you. This varies between sup
revisions as well.
here's some documents on the mls for the sup1 and sup2:
sup1:
http://www.cisco.com/en/US/products/hw/switches/ps700/
products_configuration_guide_chapter09186a008007f49e.html
sup2:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/121_8aex/
swconfig/cef.htm
If you have more detailed questions about the cat6k performance as a
layer-3 router you might want to ask on the cisco-nsp list.
- Jared
On Jan 10, 2004, at 7:31 PM, Tom (UnitedLayer) wrote:
> On Sat, 10 Jan 2004 sthaug at nethelp.no wrote:
>> It does packet filtering and policing in hardware, but traffic to the
>> interface addresses on the box get handled by the MSFC2. So you need
>> to
>> limit/block (as appropriate) traffic to the interface addresses, this
>> is
>> *not* done automatically.
>
> I was under the impression that you needed the Sup720 to have it
> handled
> in HW. I'm not
>
>> At my previous employer we saw DoS attacks of much more than 120 kpps
>> fairly regularly, and the 6509s handled it with no sweat.
>
> I sure wish someone would tell this particular transit provider of mine
> how to do that then :) They have a lot of their network built with J
> boxes, but at this one problem pop, they have a 6509...
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list