Re: Re[2]: SYN floods (was: does history repeat itself?)
FWIW, even with a thousand very busy modems, I'm pretty sure that even a small cisco is up to the job. They just don't generate all that much
At 02:12 PM 9/10/96 -0400, Alec H. Peterson wrote: traffic.
Could be, although I'd want to see this before I bet the farm on it. I'm not sure how efficient crisco's filtering algorithm is...
I have found that 2500's do not have the processor for even basic filtering when sitting in front of several hundred modems. 4700's on the other hand (and 7200's) have the ability to handle the job with little difficulty. Justin Newton Internet Architect Erol's Internet Services
Justin W. Newton writes:
FWIW, even with a thousand very busy modems, I'm pretty sure that even a small cisco is up to the job. They just don't generate all that much
At 02:12 PM 9/10/96 -0400, Alec H. Peterson wrote: traffic.
Could be, although I'd want to see this before I bet the farm on it. I'm not sure how efficient crisco's filtering algorithm is...
I have found that 2500's do not have the processor for even basic filtering when sitting in front of several hundred modems. 4700's on the other hand (and 7200's) have the ability to handle the job with little difficulty.
Really? Is there something special about 2500s as compared to AGSes? Alec pointed out to me that my numbers were a bit off, but they're not off by that much. How much traffic was there on the 2500 that you were trying to use for filtering? And how many ports were in use? FWIW, in terms of low-cost solutions, 4000s and 4500s may still be available, and I think the 4000 has the same CPU as an AGS (25MHz 68040) though I might be misremembering. I'm sure the 4500 is plenty- it's got a 100MHz MIPS chip (from IDT, I think). /a
In reply to your message of Tue, 10 Sep 1996 22:31:03 EDT: | Justin W. Newton writes: | > I have found that 2500's do not have the processor for even basic filtering | > when sitting in front of several hundred modems. Entirely possible, especially if there is a lot of routing overhead for those several hundred modems. | Really? Is there something special about 2500s as compared to AGSes? Alec | pointed out to me that my numbers were a bit off, but they're not off by | that much. How much traffic was there on the 2500 that you were trying to | use for filtering? And how many ports were in use? There is a big difference, in both hardware architecture and, therefore, how IOS can exploit it. Even an ancient SCI-4T has more hardware offload capabilities than the USART in a 2500 series router. Consider that the SCI can do up to 8 Mbps on a port (tho there's a budget limit a-la CX-FSIP, and anything over 4.0 Mbps is unsupported), whilst the 2500 cannot go above 4.0 Mbps on any port (and we do not support that configuration, either) without the USART pulling errors. The trend has been to optimize our hardware and software, whereas early on we sought to offload as much into hardware as possible to get the performance gains. So in short, the AGS has more hardware support than a 2500 for moving packets, which means that the 2500 CPU has to do more work. Now, it's also a more sophisticated architecture, so it can do the work and do it well, but there are definitely trade-offs in overhead-vs-packet-switching. Perhaps a more learned colleague will venture to correct me if I've erred, but that's the situation as I understand it. | FWIW, in terms of low-cost solutions, 4000s and 4500s may still be available, | and I think the 4000 has the same CPU as an AGS (25MHz 68040) though I might | be misremembering. I'm sure the 4500 is plenty- it's got a 100MHz MIPS chip | (from IDT, I think). We do not recommend the 4000 as a solution at this time, at it remains something of a-- how shall I put this?-- less than desirable processing platform. If you are going with new equipment, I strongly urge you to consider 4500-M/4700-M. Drat. Now I've gone and broken my streak of flippant and sarcastic messages to the list. ;-) Cheers, Paul Paul "Corwin" Frommeyer Work Internet Engineer, CCIE Play ISP Systems Engineer Network Sorcerer At Large Cisco Systems, Inc. Paul's Fone Company pfrommey@cisco.com corwin@palas.com *** Speaking solely for myself unless otherwise noted ***
I have found that 2500's do not have the processor for even basic filtering when sitting in front of several hundred modems. 4700's on the other hand (and 7200's) have the ability to handle the job with little difficulty.
Really? Is there something special about 2500s as compared to AGSes? Alec pointed out to me that my numbers were a bit off, but they're not off by that much. How much traffic was there on the 2500 that you were trying to use for filtering? And how many ports were in use?
I'm a small enough site to provide some numbers on 2500s. My border router is a 2514; it checks every incoming packet to be sure the packet doesn't claim to be from my address space, and to be sure they _are_ from my address space, it checks every outgoing packet twice[*], once coming into the router and again on the way out. Awhile ago the 5-minute average input data rate was sitting at 230 Kbps and the 5-minute cpu utilization at 25%. This router also filters all the incoming packets again as they leave out an enet port or the second serial (T1) port. Some packets go through a lot of other filter steps before hitting a rule allowing them into or out of the router. Adding all this filtering doesn't seem to have affected the cpu utilization a whole lot, although it's been a long time since I had all filtering turned off. [*] Filtering twice lets me delete and rewrite one filter while still being shielded by the other. Ok, so I waste a lot of cpu - that's part of the point: it's a mere 2500, but I have all this cpu to spare. 230 Kbps isn't much, but it's enough to ssuggest I'm going to run out of T1 before I run out of cpu. -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code
participants (4)
-
Alexis Rosen
-
Dick St.Peters
-
Justin W. Newton
-
Paul Frommeyer