North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[2]: SYN floods (was: does history repeat itself?)
> > I have found that 2500's do not have the processor for even basic filtering > > when sitting in front of several hundred modems. 4700's on the other hand > > (and 7200's) have the ability to handle the job with little difficulty. > > Really? Is there something special about 2500s as compared to AGSes? Alec > pointed out to me that my numbers were a bit off, but they're not off by > that much. How much traffic was there on the 2500 that you were trying to > use for filtering? And how many ports were in use? I'm a small enough site to provide some numbers on 2500s. My border router is a 2514; it checks every incoming packet to be sure the packet doesn't claim to be from my address space, and to be sure they _are_ from my address space, it checks every outgoing packet twice[*], once coming into the router and again on the way out. Awhile ago the 5-minute average input data rate was sitting at 230 Kbps and the 5-minute cpu utilization at 25%. This router also filters all the incoming packets again as they leave out an enet port or the second serial (T1) port. Some packets go through a lot of other filter steps before hitting a rule allowing them into or out of the router. Adding all this filtering doesn't seem to have affected the cpu utilization a whole lot, although it's been a long time since I had all filtering turned off. [*] Filtering twice lets me delete and rewrite one filter while still being shielded by the other. Ok, so I waste a lot of cpu - that's part of the point: it's a mere 2500, but I have all this cpu to spare. 230 Kbps isn't much, but it's enough to ssuggest I'm going to run out of T1 before I run out of cpu. -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY [email protected] Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code - - - - - - - - - - - - - - - - -
|