With Juniper gear there is no performance difference between what you propose
and an ACL, both run at wire rate. So implementing "CPU saving measures" is pointless
waste of time.
Pete
>
> We could ask Cisco and Juniper to add a way of 'artificially' remove networks from
> the CEF table (with an
On Fri, 28 Mar 2003, Andre Chapuis wrote:
>
> We could ask Cisco and Juniper to add a way of 'artificially' remove
> networks from the CEF table (with an ACL or so). That way, even with
> loose-RPF, the packet will be dropped based on source-address at the
> ingress without consuming CPU.
Keep
Andre,
Actually it already exists. But to do it, you need
to ensure you have loose-RPF checking enabled and null-route
the network you want the data dropped for. Since a null-route
is considered by loose-RPF checking as a "bad" route, it will
drop the data for you.
thanks,
charles
On
We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the
CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be
dropped based on source-address at the ingress without consuming CPU.
Or maybe such a feature already exist
André
At 09:06 25.0
Haesu wrote:
> I dunno how you want to implement this; but as far as I know, the way
> most people generally do policy routing on cisco thru routemap is
> they define
> the source IP's via access-list... Does that make a huge difference
> than regular access lists? I dunno...
>
> I've kinda tested
> >
> > i am not really sure what kind of traffic we are talking about,
> > but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just
> > fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1)
>
> most likely the pps would kill the 5500 long before the bps :( especially
>
On Tue, 25 Mar 2003, Jim Deleskie wrote:
> >If you fooled the router into thinking that the reverse path for the
> >source is on another another interface and then used strict unicast RPF
> >checking, that may accomplish what you want without using ACLs. I don't
> >know what impact it would have
On Tue, 25 Mar 2003, Haesu wrote:
>
> uRPF will certainly save a bit of CPU cycles than access-lists or policy
that is HIGHLY dependent on the platform in question. For the stated
'router' (5500+rsm) I'd think the impact would be about the same as for an
acl. 7500+RSP or 5500+RSM (which is pret
On Tue, 25 Mar 2003, Christian Liendo wrote:
>
> Looking for advice.
>
> I am sorry if this was discussed before, but I cannot seem to find this.
> I want to use source routing as a way to stop a DoS rather than use
> access-lists.
you can null route it also.
>
> In other words, lets say I kno
>If you fooled the router into thinking that the reverse path for the
>source is on another another interface and then used strict unicast RPF
>checking, that may accomplish what you want without using ACLs. I don't
>know what impact it would have on your CPU however, you'll have to
>investigat
> uRPF will certainly save a bit of CPU cycles than access-lists or policy
> routing.. it would be intertesting to know any kind of 'common practice'
> ways people use to fool the router so that it will think such offensive
> source IP's are hitting uRPF.
null route? even with a loose check, if y
uRPF will certainly save a bit of CPU cycles than access-lists or policy
routing.. it would be intertesting to know any kind of 'common practice'
ways people use to fool the router so that it will think such offensive
source IP's are hitting uRPF.
i am not really sure what kind of traffic we are
On Tue, 25 Mar 2003 09:06:01 -0500
Christian Liendo <[EMAIL PROTECTED]> wrote:
> I am sorry if this was discussed before, but I cannot seem to find
> this. I want to use source routing as a way to stop a DoS rather than
> use access-lists.
If you fooled the router into thinking that the reverse
At 09:21 AM 3/25/2003 -0500, Haesu wrote:
I dunno how you want to implement this; but as far as I know, the way most
people generally do policy routing on cisco thru routemap is they define
the source IP's via access-list... Does that make a huge difference than
regular access lists? I dunno...
We
## On 2003-03-25 09:06 -0500 Christian Liendo typed:
[snip]
CL>
CL> Depending on the router and the code, if I implement an access-list then
CL> the CPU utilization shoots through the roof.
CL> What I would like to try and do is use source routing to route that traffic
CL> to null. I figured
I dunno how you want to implement this; but as far as I know, the way most
people generally do policy routing on cisco thru routemap is they define
the source IP's via access-list... Does that make a huge difference than
regular access lists? I dunno...
I've kinda tested it in the lab with two 72
Looking for advice.
I am sorry if this was discussed before, but I cannot seem to find this.
I want to use source routing as a way to stop a DoS rather than use
access-lists.
In other words, lets say I know the source IP (range of IPs) of an attack
and they do not change.
If the destination st
17 matches
Mail list logo
