Hi, I have actually 2 Cisco 7206 and 1 Cisco 7204 VXR routers with 256mb of ram in each running ios 12.3.
The 7204 has a NPE300 processor with an additional fastethernet card in it. It has a 100mbs link from our ISP provider, which comes in on f0/0 and lan side is f1/0.
The router is running BGP with the other two, (other two are different providers). Now my question is this. We are a datacenter that provides bandwidth for our clients, and sometimes our clients get hit with a DOS/DDOS attack. When that happens our router cpu load hits 100% and our link is saturated. We usually have about 70-80mbs outbound and 30mbs inbound of traffic on it at any given time.
Recently we put a 2.4ghz freebsd transparent bridge firewall in front of the router to help detect and null route an ip which works quite well.
My question is however, why does the router cpu load spike to 100% when getting doss, the line traffic drops to like 2-3mbs or 0 for out, and the packet rate drops from say 30000packets/sec per interface to like 5000packets/sec per interface.
Now I null route the ip: ip route ip /32 null 0
which usually let's good traffic start to flow again, but the router load is at 90-100% still.
When I run show process it doesn't show anything high at all. IP input is high at 1% and arp is sometimes at 1%, and bgp scanner every now and then is 20% but nothing to keep it pegged at 100%.
If we null route the IP on the firewall box infront of it, then the router load drops back down to 50% normal.
Can't a Cisco 7206 handle this simple null route?
Last clearing of "show interface" counters 11:42:47
Input queue: 5/75/22/3721 (size/max/drops/flushes); Total output drops: 204
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 18009000 bits/sec, 16208 packets/sec
5 minute output rate 61364000 bits/sec, 12475 packets/sec
943042292 packets input, 3139117190 bytes
I have literally nothing in my configuration either, just basic bgp commands, some gateways for the lan and that's it. No logging. I do have ip accounting so i can see the ip being attacked, but that's it.
Please any suggestions?!
Tests performed by people other than me indicate that an NPE300 maxes out at anywhere between 100Mbit/s and 350Mbit/sec depending on packet size (smaller packets = lower bandwidth, in general).
So if you're link-saturating DOS attacks are via small packets, it's not surprising that the router chokes. A null route really doesn't help the router any from a performance standpoint (to my knowledge) -- it still has to route the packet. That there isn't a process in 'show process cpu' that is showing a lot of CPU usage indicates that the CPU usage is due to interrupts, which generally means packet forwarding. See http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af0.shtml
IP Accounting probably isn't helping things, but I don't know what the performance inpact is on the 7200 series. I'm assuming CEF is enabled.
If 100Mbit+ DOS attacks are common enough that this is a major problem, you may want to either upgrade the router or look into some of these dedicated DOS-protection devices that are floating around these days.
Dos attacks are usually once a week. I work for a datacenter and we host irc servers that do get attacked.
We have another Cisco 7206vxr with a 700mhz cpu engine and it seems to handle a dos much better.
We are thinking of upgrading to either a GSR12008 or a Cisco 6508. I'm not sure which way to lean. basically we are going to ahve 3-4 1gbs providers coming in, and we need a core switch so we can uplink with gigabit fiber to the core switch from our cisco 5000 switches. We have about 4 of them and a total of 600 servers/clients.
Can the Cisco 6506/9 handle multiple 1gbs providers and act like a core switch? and full bgp tables from each providers? I'd also like to do some policy based routing as we want certain subnets to go thru certain providers only.
I am just unsure which is a better option to take in case of a DOS attack. Can the ciso 6509 handle it? Normally we just null route the ip that's being doss'd. I'm not familiar with either of these equipment, any suggestions or questions you have please let me know.
R R R
\ | /
basically I would combine the core switch + routers into one with the cisco 6509 for now. Also I'd need to put proboly 300 gateways onto it for the clients as we have a /19 broken up into smaller /29/28/27/26 subnets.
If all the core switch's links are Ethernet (including the ISP links), I'd probably lean towards a 6509 offhand. But if there will be WAN connections you may have to go with a pure router like a 12000, as they tend to be more WAN-capable relative to layer-3 switches.
A 6509 can easily handle three 1Gbit ISP links. I don't have any hands-on with the 12000 series but I suspect it can as well. You may want to contact Cisco's sales department to help you out with product selection.
Yes. All connectivity is going to be handed off with fiber gigabit or 100mbs links to us. I am still not sure how well a 6509 can handle BGP as a "core router" so to speak with all those providers. Also for handling a dos attack if it's as good or better then a GSR12008.
A 6509 handles BGP with full routing tables just fine. But note that Sup2/MSFC2/PFC2 can *not* handle full routing tables combined with uRPF (ip verify unicast reverse-path). A 6509 is also very good for handling DoS attacks, since packet filtering is done in hardware. With the GSR, packet filtering capabilities vary depending on the type of line cards you use.
Is ip verify unicast reverse-path very important?
I'll try to find out what i means exactly. I am leaning towards the 6509 solution since it seems a bit cheaper then going with a GSR for the amount of gigabit ports i will need. Also the advantages of using it as a core switch seems really good.
Would a Supervisor Engine 1A PFC MSFC2 be enough to handle l2/3 routing switching as i need. Or would I need a Supervisor Engine 2 Policy Feature Card 2 (PFC2) Multilayer Switch Feature Card 2 (MSFC2) ?
Reverse-path forwarding is more important for ISP routers than anything else. It's one of the more elaborate methods of helping to prevent the forwarding of packets with spoofed source addresses. In a data center environment you can generally get away with standard ACLs to accomplish this.
It sounds like your primary concern with a 6509 is going to be your desire to have the device accept full BGP tables from 4 providers. I doubt a Sup1A could handle this (128MB of memory max) -- you'll probably want a Sup2 at least, with 256MB of memory. But depending on what your network's expected growth is over the next few years, a Sup720 might at least be worth considering.
Ya I just realized the sup1a limit for memory, so it woulnd't handle the bgp from 4 providers. So Sup2 looks like it. THe location I am in won;'t have more then proboly 5-6gbs of connectivity. Ya I was thinking of using access lists to permit only traffic that's sourced or destined for our network to elminate spoofing.
Thank you all for your information. It is really helping me decide. So far looks like 6500 is in the lead! :)