[AusNOG] Cisco 6500 with Sup 720 3BXL - Good routing platform ??
Dobbins, Roland
rdobbins at arbor.net
Mon Sep 20 13:48:06 EST 2010
On Sep 20, 2010, at 7:06 AM, Lincoln Dale wrote:
> where this happens more often than not is in a DDoS attack scenario, where you have lots of small flows from often spoofed sources.
Actually, it's worse than that - the lack of TCP flags means that one can't detect/classify SYN-floods, RST-floods, NULL-floods, and so forth. Can't see dropped traffic, either.
And flow-table exhaustion on EARL7 takes place in completely normal traffic scenarios due to traffic flow-key diversity (source/dest IPs & ports, protocol, input ifindex), not just during DDoS attacks.
6500/7600 NetFlow just isn't up to snuff for production use, unfortunately - never has been to date, won't be until new hardware is available. But of course, EARL8-based N7K NetFlow works quite well.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
More information about the AusNOG
mailing list