[AusNOG] network security Question
Tony Wicks
tony at wicks.co.nz
Wed May 21 10:55:43 EST 2014
>
>If your links are big enough to exhaust your control plane CPU why would you limit ICMP instead of upgrading your control plane CPU to match your link capacity?
Actually high end routers (Juniper MX etc) are certainly not designed to CPU process all the traffic (as ICMP requires). Rate limiting “CPU” traffic between the forwarding plane and the routing plane is absolutely best practice. For example to site an older router, the Juniper M20 could easily handle 20G of wirespeed traffic and 10’s of thousands of firewall rules, but only had a P333 CPU as its “route engine”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140521/41ce8f88/attachment.html>
More information about the AusNOG
mailing list