Mailing List Archive

On Wed, 7 Jan 2004, Martin Robinson wrote:
> I've have been told the Juniper routers are much better at handling
> denial of service attacks better than cisco7206vxr's

Even a 7500 is better at handling a DOS attack.

> is juniper better in any other ways with regards to security.

Answer: yes

On Jan 7, 2004, at 7:02 PM, Tom (UnitedLayer) wrote:

> On Wed, 7 Jan 2004, Martin Robinson wrote:
>> I've have been told the Juniper routers are much better at handling
>> denial of service attacks better than cisco7206vxr's
>
> Even a 7500 is better at handling a DOS attack.
>
>> is juniper better in any other ways with regards to security.
>
> Answer: yes

Do tell....?

[.i.e., not that I agree or disagree, but you should
qualify your responses]

-danny

On Wed, 7 Jan 2004, Danny McPherson wrote:
> On Jan 7, 2004, at 7:02 PM, Tom (UnitedLayer) wrote:
> >> is juniper better in any other ways with regards to security.
> >
> > Answer: yes
>
> Do tell....?
>
> [.i.e., not that I agree or disagree, but you should qualify your
> responses]

I was being about as specific as the requestor.

In general I've seen Junipers handle high PPS volumes much better than
Cisco gear. In fact, I've recently experienced an issue with a C6509+MSFC2
where it couldn't handle a 120Kpps DOS attack. I would expect those
problems from a 7500, so I can't really think cisco's 7600 platform is
that much more spectacular.

The GSR's are ok, but frankly an M5 blows it out of the water.
You can barely filter on a GSR...

> In general I've seen Junipers handle high PPS volumes much better than
> Cisco gear. In fact, I've recently experienced an issue with a C6509+MSFC2
> where it couldn't handle a 120Kpps DOS attack. I would expect those
> problems from a 7500, so I can't really think cisco's 7600 platform is
> that much more spectacular.

It all depends on how you configure the 6500/7600 (it's the same box,
really). It does packet filtering and policing in hardware, but traffic
to the interface addresses on the box get handled by the MSFC2. So you
need to limit/block (as appropriate) traffic to the interface addresses,
this is *not* done automatically.

At my previous employer we saw DoS attacks of much more than 120 kpps
fairly regularly, and the 6509s handled it with no sweat.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

On Sat, 10 Jan 2004 sthaug@nethelp.no wrote:
> It does packet filtering and policing in hardware, but traffic to the
> interface addresses on the box get handled by the MSFC2. So you need to
> limit/block (as appropriate) traffic to the interface addresses, this is
> *not* done automatically.

I was under the impression that you needed the Sup720 to have it handled
in HW. I'm not

> At my previous employer we saw DoS attacks of much more than 120 kpps
> fairly regularly, and the 6509s handled it with no sweat.

I sure wish someone would tell this particular transit provider of mine
how to do that then :) They have a lot of their network built with J
boxes, but at this one problem pop, they have a 6509...

Comparing a 6509 and a Juniper router is a somewhat interesting task.
*Very* different beasts.

While this may be entirely off-topic for the juniper-nsp list, I
thought i'd let you know a bit about the 6509 and how it does layer-3
forwarding.

The 6500 (depending on hardware configuration) can perform a few
different types of layer-3 forwarding..

Here's part of your matrix:

MFSC - MFSC (1, 2, 3)
Supervisor - Sup1, Sup1A, Sup2, Sup3 (aka sup720)
PFC - PFC, PFC2, PFC3A, PFC3B (not sure if it's released yet)

There are also some linecard features available, including:
DFC (distributed feature card) and a PoE choice for those that are
using rj-45 or rj-21 connectors to the stations/endpoints.

The 6500 does MLS (multi layered switching) in most configurations.
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_configuration_guide_chapter09186a008019f026.html

provides some information on MLS for you. This varies between sup
revisions as well.

here's some documents on the mls for the sup1 and sup2:

sup1:
http://www.cisco.com/en/US/products/hw/switches/ps700/
products_configuration_guide_chapter09186a008007f49e.html
sup2:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/121_8aex/
swconfig/cef.htm

If you have more detailed questions about the cat6k performance as a
layer-3 router you might want to ask on the cisco-nsp list.

- Jared

On Jan 10, 2004, at 7:31 PM, Tom (UnitedLayer) wrote:

> On Sat, 10 Jan 2004 sthaug@nethelp.no wrote:
>> It does packet filtering and policing in hardware, but traffic to the
>> interface addresses on the box get handled by the MSFC2. So you need
>> to
>> limit/block (as appropriate) traffic to the interface addresses, this
>> is
>> *not* done automatically.
>
> I was under the impression that you needed the Sup720 to have it
> handled
> in HW. I'm not
>
>> At my previous employer we saw DoS attacks of much more than 120 kpps
>> fairly regularly, and the 6509s handled it with no sweat.
>
> I sure wish someone would tell this particular transit provider of mine
> how to do that then :) They have a lot of their network built with J
> boxes, but at this one problem pop, they have a 6509...
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

On Jan 10, 2004, at 11:50 AM, Tom (UnitedLayer) wrote:

> On Wed, 7 Jan 2004, Danny McPherson wrote:
>> On Jan 7, 2004, at 7:02 PM, Tom (UnitedLayer) wrote:
>>>> is juniper better in any other ways with regards to security.
>>>
>>> Answer: yes
>>
>> Do tell....?
>>
>> [.i.e., not that I agree or disagree, but you should qualify your
>> responses]
>
> I was being about as specific as the requestor.
>

--snip--

> The GSR's are ok, but frankly an M5 blows it out of the water.
> You can barely filter on a GSR...
>
>

This does depend highly on IOS revision, linecard revision, features
currently in use...

On Sun, 11 Jan 2004, Christopher Morrow wrote:

> > The GSR's are ok, but frankly an M5 blows it out of the water.
> > You can barely filter on a GSR...
> >
>
> This does depend highly on IOS revision, linecard revision, features
> currently in use...


AHA! Are you saying that comparing GSR and the associated technology of
when it came out 5 years ago (old 12.0, engine-0) with an M5 is not a
reasonable comparison?

Alex Rubenstein writes:
>
>
>On Sun, 11 Jan 2004, Christopher Morrow wrote:
>
>> > The GSR's are ok, but frankly an M5 blows it out of the water.
>> > You can barely filter on a GSR...
>> >
>>
>> This does depend highly on IOS revision, linecard revision, features
>> currently in use...
>
>
>AHA! Are you saying that comparing GSR and the associated technology of
>when it came out 5 years ago (old 12.0, engine-0) with an M5 is not a
>reasonable comparison?

None of these comparisons are reasonable. All of them are dependent
on many factors that haven't been outlined in any of the emails. Can
we drop it now?

-Hank

On Jan 11, 2004, at 6:42 AM, Alex Rubenstein wrote:

>
>
> On Sun, 11 Jan 2004, Christopher Morrow wrote:
>
>>> The GSR's are ok, but frankly an M5 blows it out of the water.
>>> You can barely filter on a GSR...
>>>
>>
>> This does depend highly on IOS revision, linecard revision, features
>> currently in use...
>
>
> AHA! Are you saying that comparing GSR and the associated technology of
> when it came out 5 years ago (old 12.0, engine-0) with an M5 is not a
> reasonable comparison?
>
Sure... you could say that, though 5 years ago was there a oc-12 card
availble for the GSR? or just oc3? Stable 12.0 release then?

The E0 cards will filter 'fine' with 12.0 and oc3 or oc12 ATM cards
seem to fitler 'ok', not to the detail of an M5, but that wasn't out 5
years ago either...

Apples != Oranges, but Alex already knew that I suspect. My point was
just that if you see a M5 today and a 'current' 12000 platform with
'current' cards you can make a fairly close comparison for this space
(dos attack filtering)...

-Chris

Hi,

The bottom line is, from my experience, regardless of
configuration, cards you installed in the box or JUNOS version - a Juniper
box can easily discard large amounts of traffic without fear of it 'doing a
cisco'.

cheers,
Rob

At 07:41 11/01/2004 +0000, Christopher Morrow wrote:

>On Jan 11, 2004, at 6:42 AM, Alex Rubenstein wrote:
>
>>
>>
>>On Sun, 11 Jan 2004, Christopher Morrow wrote:
>>
>>>>The GSR's are ok, but frankly an M5 blows it out of the water.
>>>>You can barely filter on a GSR...
>>>
>>>This does depend highly on IOS revision, linecard revision, features
>>>currently in use...
>>
>>
>>AHA! Are you saying that comparing GSR and the associated technology of
>>when it came out 5 years ago (old 12.0, engine-0) with an M5 is not a
>>reasonable comparison?
>Sure... you could say that, though 5 years ago was there a oc-12 card
>availble for the GSR? or just oc3? Stable 12.0 release then?
>
>The E0 cards will filter 'fine' with 12.0 and oc3 or oc12 ATM cards seem
>to fitler 'ok', not to the detail of an M5, but that wasn't out 5 years
>ago either...
>
>Apples != Oranges, but Alex already knew that I suspect. My point was just
>that if you see a M5 today and a 'current' 12000 platform with 'current'
>cards you can make a fairly close comparison for this space (dos attack
>filtering)...
>
>-Chris
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp

_________________________________________________________________

* * Rob Walton - Network engineer
* *
* Francis House Tel +44 1223 302 992
* 112 Hills Road Fax +44 1223 303 005
* Cambridge CB2 1PQ
D A N T E United Kingdom
_________________________________________________________________