We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the
CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be
dropped based on source-address at the ingress without consuming CPU.
Or maybe such a feature already exist
André
At 09:06
Andre,
Actually it already exists. But to do it, you need
to ensure you have loose-RPF checking enabled and null-route
the network you want the data dropped for. Since a null-route
is considered by loose-RPF checking as a bad route, it will
drop the data for you.
thanks,
charles
On
With Juniper gear there is no performance difference between what you propose
and an ACL, both run at wire rate. So implementing CPU saving measures is pointless
waste of time.
Pete
We could ask Cisco and Juniper to add a way of 'artificially' remove networks from
the CEF table (with an ACL
I dunno how you want to implement this; but as far as I know, the way most
people generally do policy routing on cisco thru routemap is they define
the source IP's via access-list... Does that make a huge difference than
regular access lists? I dunno...
I've kinda tested it in the lab with two
## On 2003-03-25 09:06 -0500 Christian Liendo typed:
[snip]
CL
CL Depending on the router and the code, if I implement an access-list then
CL the CPU utilization shoots through the roof.
CL What I would like to try and do is use source routing to route that traffic
CL to null. I figured it
At 09:21 AM 3/25/2003 -0500, Haesu wrote:
I dunno how you want to implement this; but as far as I know, the way most
people generally do policy routing on cisco thru routemap is they define
the source IP's via access-list... Does that make a huge difference than
regular access lists? I dunno...
On Tue, 25 Mar 2003 09:06:01 -0500
Christian Liendo [EMAIL PROTECTED] wrote:
I am sorry if this was discussed before, but I cannot seem to find
this. I want to use source routing as a way to stop a DoS rather than
use access-lists.
If you fooled the router into thinking that the reverse path
uRPF will certainly save a bit of CPU cycles than access-lists or policy
routing.. it would be intertesting to know any kind of 'common practice'
ways people use to fool the router so that it will think such offensive
source IP's are hitting uRPF.
i am not really sure what kind of traffic we are
uRPF will certainly save a bit of CPU cycles than access-lists or policy
routing.. it would be intertesting to know any kind of 'common practice'
ways people use to fool the router so that it will think such offensive
source IP's are hitting uRPF.
null route? even with a loose check, if you
If you fooled the router into thinking that the reverse path for the
source is on another another interface and then used strict unicast RPF
checking, that may accomplish what you want without using ACLs. I don't
know what impact it would have on your CPU however, you'll have to
investigate or
On Tue, 25 Mar 2003, Christian Liendo wrote:
Looking for advice.
I am sorry if this was discussed before, but I cannot seem to find this.
I want to use source routing as a way to stop a DoS rather than use
access-lists.
you can null route it also.
In other words, lets say I know the
On Tue, 25 Mar 2003, Haesu wrote:
uRPF will certainly save a bit of CPU cycles than access-lists or policy
that is HIGHLY dependent on the platform in question. For the stated
'router' (5500+rsm) I'd think the impact would be about the same as for an
acl. 7500+RSP or 5500+RSM (which is
On Tue, 25 Mar 2003, Jim Deleskie wrote:
If you fooled the router into thinking that the reverse path for the
source is on another another interface and then used strict unicast RPF
checking, that may accomplish what you want without using ACLs. I don't
know what impact it would have on
i am not really sure what kind of traffic we are talking about,
but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just
fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1)
most likely the pps would kill the 5500 long before the bps :( especially
if you
Haesu wrote:
I dunno how you want to implement this; but as far as I know, the way
most people generally do policy routing on cisco thru routemap is
they define
the source IP's via access-list... Does that make a huge difference
than regular access lists? I dunno...
I've kinda tested it in
15 matches
Mail list logo
