I have found that 2500's do not have the processor for even basic filtering when sitting in front of several hundred modems. 4700's on the other hand (and 7200's) have the ability to handle the job with little difficulty.
Really? Is there something special about 2500s as compared to AGSes? Alec pointed out to me that my numbers were a bit off, but they're not off by that much. How much traffic was there on the 2500 that you were trying to use for filtering? And how many ports were in use?
I'm a small enough site to provide some numbers on 2500s. My border router is a 2514; it checks every incoming packet to be sure the packet doesn't claim to be from my address space, and to be sure they _are_ from my address space, it checks every outgoing packet twice[*], once coming into the router and again on the way out. Awhile ago the 5-minute average input data rate was sitting at 230 Kbps and the 5-minute cpu utilization at 25%. This router also filters all the incoming packets again as they leave out an enet port or the second serial (T1) port. Some packets go through a lot of other filter steps before hitting a rule allowing them into or out of the router. Adding all this filtering doesn't seem to have affected the cpu utilization a whole lot, although it's been a long time since I had all filtering turned off. [*] Filtering twice lets me delete and rewrite one filter while still being shielded by the other. Ok, so I waste a lot of cpu - that's part of the point: it's a mere 2500, but I have all this cpu to spare. 230 Kbps isn't much, but it's enough to ssuggest I'm going to run out of T1 before I run out of cpu. -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code