Ping flooding (fwd)

Mailman List Mirror (Read Only)
1

I have always been under the impression that Cisco flow switching and
high performance were mutually exclusive if there were too many active
flows as is the case for the major US ISPs at least.

What the RS6000 does is the forwarding cards sample on in 50 packets,
strip all but the headers, pack it into a buffer and send the buffers
to the RS6000 processor for inclusion in histograms. We can come
close to doing 1:1 sampling but not quite. The 1:50 has proven just
fine for traffic management and also come in handy for tracking
persistant source address spoofers back to the next provider.

Another difference is with the flow switching, you need to catch them
in the act. With the sampling and collection, you can call hours
later (days or weeks actually, years if you count going to tape) and
still determine the candidate entry points for the traffic. I don't
think there is a practical way to get the same sort of historic
archive from the flow switching stats.

Curtis

2

I have always been under the impression that Cisco flow switching and
high performance were mutually exclusive if there were too many active
flows as is the case for the major US ISPs at least.

This may or may not be the case, but that wasn't the question; the
question was if information required to track bogus packets was
available.

Apart from that, flow switching should probably be seen in the
light of distributed switching, but all of this is something
sales critters are there to talk about.

Another difference is with the flow switching, you need to catch them
in the act. With the sampling and collection, you can call hours
later (days or weeks actually, years if you count going to tape) and
still determine the candidate entry points for the traffic. I don't
think there is a practical way to get the same sort of historic
archive from the flow switching stats.

As noted in other mail, it appears there is a solution to that.