From owner-freebsd-net  Sun May 31 21:06:48 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA23014
          for freebsd-net-outgoing; Sun, 31 May 1998 21:06:48 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23006
          for <net@freebsd.org>; Sun, 31 May 1998 21:06:43 -0700 (PDT)
          (envelope-from tim@shell.futuresouth.com)
Received: (from tim@localhost)
	by shell.futuresouth.com (8.8.8/8.8.8) id XAA17410;
	Sun, 31 May 1998 23:06:41 -0500 (CDT)
Message-ID: <19980531230640.52576@futuresouth.com>
Date: Sun, 31 May 1998 23:06:40 -0500
From: Tim Tsai <tim@futuresouth.com>
To: net@FreeBSD.ORG
Subject: router performance
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Can I expect a FreeBSD-based router (say, Pentium Pro 180 with 64-128megs
of RAM) to do the following reasonably well?

1) Route 2-4 T1's worth of traffic (judging from the recent fastforward
thread I don't think this is a problem)
2) run BGP
3) do *extensive* inbound packet filtering (anti-spoofing, no
broadcasts, etc.).
4) talk to the rest of the LAN through an ethernet interface

Our Cisco 3640 with a Mips R4700/100Mhz is choking routinely with two
T1's during periods of DoS attacks.  It's quite capable of routing the
traffic but the packet filtering is eating up all the CPU.  Throw in ip
accounting (which is only needed *during* an attack) and you can forget
about any response.

Thanks,

Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message