Re: PBR needing to hit the cpu?
On Sep 17, 2005, at 8:57 PM, David Hubbard wrote: Just curious, do most vendors' hardware need to hit the cpu when doing policy-based routing? I found one of my border routers' cpu's on the bad end of a DDoS but once I turned off a not necessarily required setup to force some outbound traffic to take a specific outbound link via PBR, the DDoS traffic was no longer an issue. It was only about 200 Mbit so I hadn't expected it to be an issue but apparently it was; I was surprised when support told me the PBR was making traffic hit the cpu. That's not at all surprising. PBR would be pretty hard to push into a hardware forwarding path. Not impossible, but certainly challenging. Tony
Re: PBR needing to hit the cpu?
On Sat, Sep 17, 2005 at 11:57:47PM -0400, David Hubbard wrote: Just curious, do most vendors' hardware need to hit the cpu when doing policy-based routing? I found one of my border routers' cpu's on the bad end of a DDoS but once I turned off a not necessarily required setup to force some outbound traffic to take a specific outbound link via PBR, the DDoS traffic was no longer an issue. It was only about 200 Mbit so I hadn't expected it to be an issue but apparently it was; I was surprised when support told me the PBR was making traffic hit the cpu. Some do. Some don't. That is about the best answer you're going to get unless you can tell us what hardware. Obviously policy-based routing uses a different lookup mechanism (some user-defined policy) than traditional destination ip longest prefix match. A cpu-based router is going to do it in cpu (duh), but the lookup process isn't going to be as efficient. A lower end hardware based/assisted router or L3 switch may just end up kicking policy routed traffic down a slow path, which may or may not be CPU based. Many higher end routers are perfectly capable of doing policy routing at the same level of performance as regular IP routing. Most vendors make a product that fits into each category. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
GMU Dissertation
Hi, A few people have asked when it would be avaiable, so thought I'd put in the shameless plug for my dissertation, now slightly expanded book: Networks, Security And Complexity: The Role of Public Policy in Critical Infrastructure Protection http://www.amazon.com/exec/obidos/tg/detail/-/1843769522/qid=1127050688/sr=1-1/ref=sr_1_1/102-9173163-8383351?v=glances=books Sure to be anti-climactic, but think there might be a few bits that are of interest to the list. Book aside, the intersting part is all of the issues on public information, government classification, information sharing etc. have only intensified. At least the from what I can see. best, sean
Re: PBR needing to hit the cpu?
On Sat, 17 Sep 2005, David Hubbard wrote: Just curious, do most vendors' hardware need to hit the cpu when doing policy-based routing? As far as I know, the hardware that you are likely using from the major company in the bay area is going to put all PBR traffic through the CPU. Other vendors do it in different ways, but any vendor that only does the standard destination address lookup in hardware will have to do exception processing in the CPU. Most routers fall into this category. The differences will be how efficiently the CPU handles the processing, and that will determine the load. Unfortunately, any more specific information of what vendors do would be a violation of the NDAs. -Sean
Re: PBR needing to hit the cpu?
On 2005-09-18-13:28:22, Sean Figgins [EMAIL PROTECTED] wrote: As far as I know, the hardware that you are likely using from the major company in the bay area is going to put all PBR traffic through the CPU. [...] It's all dependent upon platform, as was stated previously. A Cisco Catalyst 6500 with Sup720 can definitely preform hardware-based PBR. On the other hand, your run-of-the-mill 2600 series (or even a Sup2 w/MSFC2, if memory serves) cannot. :) Unfortunately, any more specific information of what vendors do would be a violation of the NDAs. Please tell me this was meant tongue-in-cheek... -a
Time Warner Outage?
Anyone having problems with Time Warner?
Re: PBR needing to hit the cpu?
What I think we're talking about here is not really policy- based routing but policy-based forwarding, right? If so, then any nin-FIFO scheme would have to to be kicked up to the CPU, right? - ferg ps. I heard you left Cisco again. ;-) -- Tony Li [EMAIL PROTECTED] wrote: On Sep 17, 2005, at 8:57 PM, David Hubbard wrote: Just curious, do most vendors' hardware need to hit the cpu when doing policy-based routing? I found one of my border routers' cpu's on the bad end of a DDoS but once I turned off a not necessarily required setup to force some outbound traffic to take a specific outbound link via PBR, the DDoS traffic was no longer an issue. It was only about 200 Mbit so I hadn't expected it to be an issue but apparently it was; I was surprised when support told me the PBR was making traffic hit the cpu. That's not at all surprising. PBR would be pretty hard to push into a hardware forwarding path. Not impossible, but certainly challenging. Tony
Re: Time Warner Outage?
I was. I nuked my peering about an hour ago. Word from the local ops manager was that it was a national issue that started just after 1pm Mountain time. On Sun, 18 Sep 2005, Brian Boles wrote: Anyone having problems with Time Warner?
Re: PBR needing to hit the cpu?
Sean Figgins wrote: Just curious, do most vendors' hardware need to hit the cpu when doing policy-based routing? As far as I know, the hardware that you are likely using from the major company in the bay area is going to put all PBR traffic through the CPU. not quite true ... for router platforms, in most cases PBR doesn't alter the 'path' of processing. PBR is available within CEF/fast paths processing doesn't drop out of that processing path unless some of the more esoteric 'policy' options are used. this doesn't mean that PBR comes for free - but with careful planning it doesn't have to result in excessive CPU overhead either. for many switch platforms, PBR remain in a h/w-switched path essentially does come for 'free' (no impact on speed, no requirement to fallback to a s/w-based path). the price here is that not all 'policies' are necessarily available in the h/w-switching path. i can provide more details off-list if you wish but i doubt folks want this to be a foobar-nsp list.. cheers, lincoln.
Re: PBR needing to hit the cpu?
On Sat, 17 Sep 2005, Tony Li wrote: That's not at all surprising. PBR would be pretty hard to push into a hardware forwarding path. Not impossible, but certainly challenging. Tony Doesn't the SUP-720(PFC3B) support (some forms of) PBR in hardware ? -- Thanks Rafi
