Results 1 to 21 of 21
  1. #1
    Join Date
    Sep 2001
    Location
    New York, NY
    Posts
    159

    New Switch - With Bandwidth Management down to 1Mbps increments

    Greetings,

    I been looking for a new switch to use, that have few features that ProCurve switches do not have, which is namely the port bandwidth management that I can manage by controlling the bandwidth traffic by Megabit increment. Plus, anti-dos features would be nice as well.

    I know that Extreme Networks have that features in 24/48 port 1U factors, but I am looking for feedback from others who knows of other switches that have that feature as well. Your input is appreciated.

  2. #2
    Join Date
    Nov 2001
    Location
    Atlanta, GA
    Posts
    632
    Stopping DOS/DDOS attacks is something you want to do as high up in the network chain as possible. You don't want to be doing that at the switch level. Ideally, you'd have some sort of device that operates on every incoming bit of network connectivity before it goes out to your servers.

    Cisco's obviously do the rate limiting you need, though. Not sure about others out there, since there's never really been a feature I've needed.
    Former owner of A Small Orange
    New owner of <COMING SOON>

  3. #3
    Join Date
    Sep 2001
    Location
    New York, NY
    Posts
    159
    Quote Originally Posted by timdorr
    Stopping DOS/DDOS attacks is something you want to do as high up in the network chain as possible. You don't want to be doing that at the switch level. Ideally, you'd have some sort of device that operates on every incoming bit of network connectivity before it goes out to your servers.

    Cisco's obviously do the rate limiting you need, though. Not sure about others out there, since there's never really been a feature I've needed.
    Actually, not worried about incoming DoS. It is more of outbound traffic from the servers itself, not inbound, hense the comment about Antidos part.

  4. #4
    Join Date
    Apr 2005
    Location
    Seattle, WA
    Posts
    221
    Quote Originally Posted by elik
    Actually, not worried about incoming DoS. It is more of outbound traffic from the servers itself, not inbound, hense the comment about Antidos part.
    Nice way to handle that is an ACL on each port denying all outbound traffic NOT originating from the VLAN it's assigned to. That will at very least prevent spoofed attacks. That way if a machine on your network does become compromised, at least you'll get an abuse@ mail / phone call saying 'Please stop attacking me!!'
    Anthony M. Faoro II - tmf [at] adtaq.com - (425) 444-8787 ex 7000
    Seattle Colocation @ Adtaq Internet | Seattle, WA | Be Happy!
    AIM TonyAdtaq | GTalk tmf [at] adtaq.com

  5. #5
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    Any requirements to run a routing protocol, or just static routes? Total bandwidth/throughput requirements? Target price range?

    Eric
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

  6. #6
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    Reccomendations for budget priced Ciscos would be the 2950 (enterprise software) and the 2948-L3 if you need more port density. Both have Gig-e uplinks and layer3 capability including rate-limiting.

    If budget is less of an issue, I would recommend the 3750 for new installations.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  7. #7
    Join Date
    Sep 2001
    Location
    New York, NY
    Posts
    159

    Requirements

    Quote Originally Posted by spaethco
    Any requirements to run a routing protocol, or just static routes? Total bandwidth/throughput requirements? Target price range?

    Eric

    Basically, going to be using distribution switch, which the edge switches will be hooked into and those edge switches are what I am looking for. As for bandwidth, usually 50Mbps to 100Mbps per switch usually for the deds, with VLAN Assigned Network from upstream provider.

    To be honest, I tend to stay away from Cisco switches. Not they are overpriced, but I know they tend to be little underpowered in some cases sometimes. I found the HP ProCurve Switches, 3900CL which seems to fit what I am looking for which is nice.

  8. #8
    Join Date
    Apr 2005
    Location
    Seattle, WA
    Posts
    221
    Quote Originally Posted by elik
    To be honest, I tend to stay away from Cisco switches. Not they are overpriced, but I know they tend to be little underpowered in some cases sometimes. I found the HP ProCurve Switches, 3900CL which seems to fit what I am looking for which is nice.
    Err... Cisco switches aren't underpowered; not even a little bit. Routers might be under the bar compared to Juniper stuff, but when it comes to pure packet pushing, Cisco is great.
    Anthony M. Faoro II - tmf [at] adtaq.com - (425) 444-8787 ex 7000
    Seattle Colocation @ Adtaq Internet | Seattle, WA | Be Happy!
    AIM TonyAdtaq | GTalk tmf [at] adtaq.com

  9. #9
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    977
    Quote Originally Posted by TonyAdtaq
    Err... Cisco switches aren't underpowered; not even a little bit.
    It sounds like you've never had a Cisco hit by DoS

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  10. #10
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    Quote Originally Posted by TonyAdtaq
    Err... Cisco switches aren't underpowered; not even a little bit.
    That really depends upon your point of reference. Cisco marketing, just like any other network hardware marketing department, tends to publish aggregate numbers or best-case traffic scenarios for their products. For example, the 6509 with SUP720s is advertised as a 720gig chassis (which sounds really impressive!). That's a composite number based on the chassis having dual crossbars, 6700-series fabric-enabled line cards having a 20G attachment per crossbar (40G per slot), and all 9 slots being populated with some type of forwarding engine so that traffic doesn't have to hit the supervisors. 9 slots x 40G per slot = 360gig. That's a full-duplex attachment, however, so they add the TX and RX channels to yield 720gig. The marketing numbers are based on real data but are often unachievable in real-world deployments, which is why people say that Cisco devices are underpowered. If you are aware the numbers are unrealistic up front, it's much less of an issue.

    You do pay a premium to get network hardware with a bridge logo on it. Like any company they have strengths and weaknesses within their product lines, and therefore there are cases where it makes sense for Cisco to be your 2nd, 3rd, or sometimes even 4th choice. Low bandwidth (under a few gigabit), low density (<= 48 ports) switching is a commodity market, and Cisco holds no clear advantage in that space. Unless you want to stay vendor-consistent for supportability reasons or are getting fire-sale pricing, there's really no reason to go Cisco for that particular class of product.

    For the OP, product selection is going to depend on how fancy you want to get with rate limiting. If you just want to do raw Ethernet frame limiting then just about any switch with the feature will do. If you want to do more intelligent traffic shaping to help eliminate the effects of TCP tail-drop and other flow limiting concerns, then Cisco might actually present some compelling features.

    Eric
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

  11. #11
    Join Date
    Apr 2005
    Location
    Seattle, WA
    Posts
    221
    Quote Originally Posted by tical
    It sounds like you've never had a Cisco hit by DoS
    I'm talking about switching, not routing.
    Anthony M. Faoro II - tmf [at] adtaq.com - (425) 444-8787 ex 7000
    Seattle Colocation @ Adtaq Internet | Seattle, WA | Be Happy!
    AIM TonyAdtaq | GTalk tmf [at] adtaq.com

  12. #12
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Quote Originally Posted by TonyAdtaq
    I'm talking about switching, not routing.
    If you setup ACLs in your distribution switches (something like a 3550), they will fall flat on themselves during a DDoS.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  13. #13
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    977
    Quote Originally Posted by TonyAdtaq
    I'm talking about switching, not routing.
    Nothing seems to be "underpowered" when it comes to L2 switching.
    Last edited by tical; 09-01-2006 at 01:07 AM.

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  14. #14
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    977
    Quote Originally Posted by Jay Suds
    If you setup ACLs in your distribution switches (something like a 3550), they will fall flat on themselves during a DDoS.
    3550s will fall over even if you don't have ACLs. I believe the problem is TCAM interrupt starvation. I believe this to be the reason those switches seem to do fine with DoS traffic that isn't bigger than the port, but suffer horribly if there's more traffic than the port can queue for output.

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  15. #15
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Quote Originally Posted by tical
    3550s will fall over even if you don't have ACLs. I believe the problem is TCAM interrupt starvation. I believe this to be the reason those switches seem to do fine with DoS traffic that isn't bigger than the port, but suffer horribly if there's more traffic than the port can queue for output.
    This is entirely possible. The largest amount of DDoS we've seen go through our 3550s is about 900Mb/sec. They really handled this just fine, but then again we don't have any ACLs setup. The ACLs go in the Junipers.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  16. #16
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    I would not be too concerned with a Cisco falling over before a comparable HP would. If you're not doing BGP or ACL's, which I don't think you are, there will be no issues with just about any recent model with enough port speed to forward the DDOS. The ASIC's will handle it and the CPU won't even get touched.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  17. #17
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    977
    Quote Originally Posted by FastServ
    I would not be too concerned with a Cisco falling over before a comparable HP would. If you're not doing BGP or ACL's, which I don't think you are, there will be no issues with just about any recent model with enough port speed to forward the DDOS. The ASIC's will handle it and the CPU won't even get touched.
    Yep; no CPU involvement what so ever. Yet they still fall over.

    You're not required to believe me though; continue to be wise in your own conceits as you wish.

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  18. #18
    Join Date
    Oct 2000
    Posts
    1,653
    Quote Originally Posted by tical
    3550s will fall over even if you don't have ACLs. I believe the problem is TCAM interrupt starvation. I believe this to be the reason those switches seem to do fine with DoS traffic that isn't bigger than the port, but suffer horribly if there's more traffic than the port can queue for output.
    Do any of the newer model Cisco's fix this problem?
    [QuickPacket™] [AS46261]
    Located in Atlanta, GA and Los Angeles, CA
    Dedicated Servers, KVM, Xen & OpenVZ VPS, Co-location, R1Soft Data Backup, Shared & Reseller Hosting

  19. #19
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Quote Originally Posted by QuickPacket
    Do any of the newer model Cisco's fix this problem?
    In reality, I don't see this as a big issue unless you are using your 3550s on your network edge. If you're using them as they should be used -- distribution switches -- you would be filtering a 1Gb/sec+ attack at your edge or at your upstream.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  20. #20
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    977
    Quote Originally Posted by QuickPacket
    Do any of the newer model Cisco's fix this problem?
    I can't comment on newer Ciscos as I don't have any.

    Quote Originally Posted by jay suds
    In reality, I don't see this as a big issue unless you are using your 3550s on your network edge. If you're using them as they should be used -- distribution switches -- you would be filtering a 1Gb/sec+ attack at your edge or at your upstream.
    Agreed.

    That being said, "as they should be used" is very vague and subject to interpretation. If you believe Cisco's specs, you'd think linerate filtering is no problem provided that your ACL is hardware-compatible; obviously not so.

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  21. #21
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    Quote Originally Posted by qps
    Do any of the newer model Cisco's fix this problem?
    It's more a function of product class than age. Cisco's profits are mainly derived by producing product for 2 groups: enterprises and carriers. Carriers being extreme high capacity / multi circuit transport, and enterprise having 2 main classifications: data center and field office.

    The 3550 fits into the "field office" category as a wiring closet layer3 switch. It's primary role is to aggregate 24 (or 48) ports of standard end-user office traffic. In general, dedicated hosting isn't going to be too different than your average user community traffic loading. (ie, some ports are idle, some are used in bursts, and others hammer away at the network 24x7) When it comes to functions like 1gbps+ DoS mitigation, that's really something that comes from their "data center" class devices and even there it's not their specialty. Public Internet transport has a much greater focus with Juniper, and that's why they typically outshine Cisco in Internet-specific issues like DoS mitigation.

    Outside of virus activity, DoS traffic is extremely rare in the enterprise environment. Cisco's strategy in the enterprise space is to trap close to the edge, using PC technologies like the Cisco Security Agent or Flexible Packet Matching ACLs with centrally deployable updates to allow filtering of specific threats at the edge. They're basically trying to stop the traffic before it becomes big and unmanageable.

    So it's really not an issue of the 3550 being broken, but rather being put in situations (ie large DoS attacks) that it was not designed to deal with.
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •