Pete Vickers
[EMAIL PROTECTED] | +47 48 17 91 00
Systemnet AS
On 20 Apr 2007, at 10:42 AM, Claudio Jeker wrote:
On Fri, Apr 20, 2007 at 09:48:44AM +0200, Toni Mueller wrote:
Hi Claudio,
On Fri, 06.04.2007 at 12:09:38 +0200, Claudio Jeker
<[EMAIL PROTECTED]> wrote:
Even the most expensive Cisco/Foundry/Extreme switches have not
the CPU
power to route or filter packets.
how comes they boast running BGP and such stuff? Eg. Cisco 6509
and up,
or Extreme Black Diamond? This requires real routing capabilities,
doesn't it?
Depends on your definition of routing capabilities. Layer 3 switches
(ab)use the CAM to do route lookups. For example the Cisco 7600
switching
router is able to route/switch at high pps rates under normal (lab)
circumstances but they start to trash when your network is under a
DDoS
attack. This comes from the fact that the CAM table is overflooded
and so
many packets are redirected to the CPU for a slow routing lookup.
Most L3 switches have small CAM tables and so only small routing
tables
can be handled efficently on those systems (small as in <20'000 routes
which is nothing compared to the 215'000 bgp prefixes seen on a full
view).
Also note that switching router do lookups in HW so any feature
that is
not part of the HW engine needs help from the main CPU. Tunneling,
IPsec,
statefull filtering, L2TP, MPLS VPN and so on are either not
available or
are done fully in software.
L3 switches can be compared to running a system with 64M Ram and
4GB of
swap. Paging and swapping makes the box comparable to one with 4GB
of RAM
until your running processes start to use more than the 64M available.
--
:wq Claudio
Hi,
With SUP32/SUP720 and PFC2/3 this is much less a problem, as stated
below. In fact, you can do a lot of config on the TCAM itself to
mitigate DDoS associated problems:
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_white_paper09186a00800c9470.shtml#wp43045
/Pete