Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

  • To: "Gert Doering" gert@localhost
  • From: "Martin Hannigan" hannigan@localhost
  • Date: Tue, 17 Oct 2006 07:34:53 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ajc/vTZQx9ZcWbTW8B0nzk11U2yJsiPRvX5USfL1Buoa+GYmrBD5CkmwwcsLZ1gX7GD1NUCbEFTW6sbhOzZnj4E9hl+OHDMlnFKRE/jbix8vFenV4V5CWix2UTQi/ywK2SRF7OkPy+m8h2RgF6OyJ0q4fadb1X4JFYgQceF7QDI=

On 10/17/06, Gert Doering gert@localhost wrote:

> At the edge, I'm deploying 6709's with 1gb uplinks. The future is

Woops, 7609's

> obviously 10gb, which these boxes will likely deliver in their 3 to 5
> year life expectancy.
>
> 1. What should I expect performance wise? Im running big iron, but Im more
>   concerned with my legacy little iron, ie 7500 series with 512MB RAM, etc.

... specifically, 650x/760x with Sup720 and activated "uRPF" filtering
will do all the filtering in hardware, with no noticeable impact on
performance.

For "legacy little iron", it depends on how loaded the box really is.  uRPF
is done using the CEF structures (not with ACLs), so it's "fairly cheap",
but it *will* cause extra work for RSP or VIPs - and if you're already
at 95% CPU load, this might be too much.  (But then you should upgrade
anyway...)


I'm going to start with my legacy little iron Wed of next
week. I'm going to take b/w, cpu, and mem. That should be good enough
for the notebook/FAQ as "result".

I should report back sometime then. Thanks.

-M<