08-12-2016 05:17 AM
We use ICX 7750 Switch for BGP and we want to protect DDOS attack so our ISPs want to know that Do ICX 7750s allow asymmetric trafic ? If it allows , how to do this?
08-12-2016 07:13 AM
Do you mean Symmetrical routing? Or Asymmetrical routing?
In general, you don't want TCP traffic flow to use an asymmetrical path (Source to Destination 1 path, Destination to Source uses a different path).
Brocade devices support both, it will depend on the routing tables of your core and internet routers/switches as well as how your are advertising your ASN to your internet provider.
What exactly are you trying to do? Protect yourself against DDOS? The internet provider trying to protect themselves against DDOS?
08-12-2016 08:56 AM
I mean that asymmetrical routing. Our ISP protect DDOS attack. They want to us create sub-interface and allow asymmetricak routing.
if they are attacked , ISP uses sub-interface to defense attack. How can i allow asymetrical routing in ICX 7750s. Can u help us ?
08-12-2016 09:13 AM
By default the ICX7750 and most routers will allow asymmetrical routing. Since routing is generally a hop by hop process with each router making its own decision as to how to forward traffic there is no guarantee of symmetry. This is especially true where the Internet is involved as there are so many more parties involved in the forwarding of traffic and if you have two entry/exit points there is absolutely no guarantee that traffic entering the network will follow the same (reverse) path as the traffic took leaving the network.
Asymmetrical routing does not usually cause any problems to routers as they are stateless.
Asymmetry can pose problems for firewalls and similar devices that hold state. Eg a TCP SYN may go out of one firewall but the returning SYN ACK may come in through another firewall. In this case the second firewall does not hold any state for the original connection request and will drop the SYN ACK. This is usually overcome by making sure that firewalls are deployed as HA pairs and hence will share session state.
08-12-2016 10:07 AM
thank you for information. How can I allow asymmetrical routing in ICX 7750s. May i any config for this process. have you any guide this for process?
08-12-2016 11:03 AM
There isn't anything specific to do in terms of configuration to allow it do perform asymmetric routing. Simply enabling routing and assigning IP addresses will allow it to route.
Asymmetric routing is quite a loose and vague term. If your DDOS provider needs traffic to follow specific paths and those paths are going to be asymmetric then the provider will need to detail exactly what they are expecting in terms of the paths.
The ICX7750 supports policy based routing which is a tool/feature that could be used to implement this, but it all depends on specifically what the DDOS provider wants.