Loadsa ICMP...

Edward Henigin ed at texas.net
Wed Aug 13 19:40:05 UTC 1997

	A 7513 with an RSP2 (100Mhz MIPS R4700) can process switch
around 3500 packets/sec, by my unofficial testing.  People at cisco
may respond negatively to my post, but I'll refer them to two cases
I opened with TAC, neither of which were able to raise the ceiling
on how many packets can be process switched.

	Cisco configuration is aimed towards fast-switching as many
packets as possible.  The same box can probably fast switch a couple of
hundered thousand packets/sec or more (I have no idea, I just know it's
a lot) but if you force the box to process switch, YOU WILL KILL IT.
It will start dropping bgp sessions, etc etc, and you're toast.

	One way to force a cisco to process switch is by sending
it packets that match an ACL deny....  and this latest round of
'smurfing' will send tens of thousands of packets/sec through your

	so access-list filtering is worse than useless, it is
destructive, when combating DoS attacks.

	hence the idea of using policy-routing to filter the

	realize here that doubling (or tripling, or quadrupling) the
CPU power of the cisco will not help.  Upgrading from an rsp2 to an
rsp4 would buy you about 3 times 3.5Kpps, say around 10Kpps, process
switched.  That's still hardly enough to save you when you're being


On Wed, Aug 13, 1997 at 02:27:43PM -0500, Jon Green said:
> I'm not from a Cisco background, so forgive me, but.. What a strange
> way to configure a router.  You have to configure it in a non-intuitive
> way because the intuitive way will blow up the router?  I guess we should
> be thankful that IOS lets us get around hardware limitations of the box, but
> someone should really teach Cisco a concept called "SMP".  Just an
> observation..
> -Jon

More information about the NANOG mailing list