North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: spare swamp space?
Steve, > I too have a similar setup for my network since we as well > run an Efnet irc server, however, CAR really won't do much if > you set it up inside your own network. The smurf will still enter > and saturate your pipes. The best thing to do is to have your upstreams > setup rate-limits on their side of your pipes so the feed coming into your > router is limited before it even hits your router. > > Here is a question though, what kind of CPU drain does rate-limiting cause > on the CPU of the routers running it? I flipped through CCO and couldn't find > any information regarding this... My limited experience is that if you run CEF on the interface concerned, life is bearable. If you don't, it isn't. If you run < 11.1.17?? CA where fast discards and routes to null0 were introduced, life is disastrous. Alex Bligh GX Networks (formerly Xara Networks) > > > Alex Bligh wrote: > > > > servers, one for the outside world and one for our customers only. The > > > public server will be connected via a T1 to a smurf tracing friendly > > > transit provider for external connectivity. This T1 will be used for this > > > > OK, tell me where this falls down. Set up two IP addresses for your > > IRC server on the same machine. On the router upstream from the machine, > > allow only your customers to connect to one IP address, and anyone else > > to connect to the other IP. Now go to your border routers, enable CEF > > and configure something like: > > > > ! impose limits > > access-list 100 permit ip any host public-irc.my.net > > access-list 100 permit ip any host public-irc.my.net > > access-list 101 deny ip any host private-irc.my.net > > ! i/f config for borders > > interface myinterface > > ip access-group 101 in > > rate-limit input access-group 102 512000 512000 512000 conform-action transmit exceed-action drop > > > > Effectively this means that if your public IP gets smurfed, it's b/w > > usage internally on your network is limited. If your private IP gets > > smurfed, it all gets dropped (thinking about it if you made exceptions > > for IRC peering you could do the whole thing on one IP if your customers > > never use border router i/fs). > > > > If you are paying per bit, you'll still pay for smurfs, but they'll have > > to be 45Mb/s in size to cause any real damage. You'll probably find BGP > > flapping up and down as your T1 saturates is more of a problem. > > > > -- > > Alex Bligh > > GX Networks (formerly Xara Networks) > > > > > > -- > \\|// > -(@ @)- > ==========================oOO==(_)==OOo================================= > Steven Nash uin: 9021398 > Cisco Certified Design Specialist em: [email protected] > Network Engineer > Lightning Internet Services LLC > http://www.lightning.net > -=+===================================================================+- > > >
|