I'm not from a Cisco background, so forgive me, but.. What a strange
way to configure a router. You have to configure it in a non-intuitive
way because the intuitive way will blow up the router? I guess we should
be thankful that IOS lets us get around hardware limitations of the box, but
someone should really teach Cisco a concept called "SMP". Just an
observation..
-Jon
A 7513 with an RSP2 (100Mhz MIPS R4700) can process switch
around 3500 packets/sec, by my unofficial testing. People at cisco
may respond negatively to my post, but I'll refer them to two cases
I opened with TAC, neither of which were able to raise the ceiling
on how many packets can be process switched.
Cisco configuration is aimed towards fast-switching as many
packets as possible. The same box can probably fast switch a couple of
hundered thousand packets/sec or more (I have no idea, I just know it's
a lot) but if you force the box to process switch, YOU WILL KILL IT.
It will start dropping bgp sessions, etc etc, and you're toast.
One way to force a cisco to process switch is by sending
it packets that match an ACL deny.... and this latest round of
'smurfing' will send tens of thousands of packets/sec through your
router..
so access-list filtering is worse than useless, it is
destructive, when combating DoS attacks.
hence the idea of using policy-routing to filter the
smurf-attacks.
realize here that doubling (or tripling, or quadrupling) the
CPU power of the cisco will not help. Upgrading from an rsp2 to an
rsp4 would buy you about 3 times 3.5Kpps, say around 10Kpps, process
switched. That's still hardly enough to save you when you're being
smurfed.
Ed
jcgreen@netins.net (Jon Green) writes:
I'm not from a Cisco background, so forgive me, but.. What a strange
way to configure a router. You have to configure it in a non-intuitive
way because the intuitive way will blow up the router? I guess we should
be thankful that IOS lets us get around hardware limitations of the box, but
someone should really teach Cisco a concept called "SMP". Just an
observation..
You are correct. The intuitive way does the Right Thing, which is to send
back an ICMP packet. The optimization to get that to happen at interrupt
time never did happen... mostly due to lack of customer demand.
As to the small matter of a Small Matter of Programming, well, it's a lot
easier if you're the one asking for it than the one doing it.
Tony