Since when are policers implemented in ram? You're talking FPGA if you want to be able to make forwarding/filtering decisions assuming it's possible which it isn't you're 1 million dollar boxes suddenly become hundred million dollar boxes. Then there's v6 info..
Of course it's not possible ... if you use a crummy design. It's trivial to come up with non-completely-crummy designs. For example, adding a front-end where you take a hash of source-ip/dest-ip and run it through a smallish hash table, you can use that as a filter to eliminate a lot of traffic that's just normal and non-interesting. You want to take a closer look at the traffic that's heaviest (read: most hits) or new and significant (read: diff against an hour ago). You probably don't want to do this just per-IP, but likely also per-network. And you probably don't want to use just this one technique, you want to combine it with others. And you probably need to consider the types of attacks that are known, likely, etc., and design accordingly, because this one little example I've provided is just one part of a comprehensive solution, but it is capable of dealing with any amount of traffic and it would be a very useful filter to start pulling out potentially interesting stuff. This stuff isn't *easy*. Fine. But it certainly *is* possible. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.