CCO official release on blocking code red w/ IOS NBAR - http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
On Tue, Aug 07, 2001 at 10:21:10PM -0700, Scott Frisby said:
CCO official release on blocking code red w/ IOS NBAR -
Excellent. Is anyone implementing this on large scale networks? What sort of performance hit are you seeing on what levels of traffic? Thanks, -- dmuz dmuz.angrypacket.com <- vanity site sec.angrypacket.com <- lame security site "I'd rather have a bottle in front of me than a frontal lobotomy." - Tom Waits
Based on the testing we have done with this feature - you can expect the following this feature requries CEF switching turned on : 7200 NPE 300 w/ Stateful Classification ( http subport and marking ) Your looking at about an incremental max 15% hit w/ 45 meg each direction ( 90 meg total ) 3660 25 meg unidirectional ~11% 3640 8 meg unidirectional ~11% 3620 4 meg unidirectional ~16% 2650 8 meg unidirectional ~11% 2610 4 meg unidirectional ~16% Many enterprise customers are starting to implement this at the ingress of the network One of the side effects that has been reported are open tcp sessions that are left on servers as the result of this filtering. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of dmuz Sent: Wednesday, August 08, 2001 8:17 AM To: Scott Frisby Cc: nanog@merit.edu Subject: Re: Blocking CODE RED IOS NBAR CCO Tech Tip On Tue, Aug 07, 2001 at 10:21:10PM -0700, Scott Frisby said:
CCO official release on blocking code red w/ IOS NBAR -
Excellent. Is anyone implementing this on large scale networks? What sort of performance hit are you seeing on what levels of traffic? Thanks, -- dmuz dmuz.angrypacket.com <- vanity site sec.angrypacket.com <- lame security site "I'd rather have a bottle in front of me than a frontal lobotomy." - Tom Waits
participants (2)
-
dmuz
-
Scott Frisby