BEMIS@ORECES.CTD.ORNL.GOV (Curt Bemis,46708::bemis; 615-574-4769) (09/25/90)
From: ORECES::HYMANLL "Lynn Hyman, (615)574-7619" 20-SEP-1990 08:42:57.29 To: @SYS$LOGIN:MIL.DIS CC: HYMANLL Subj: Filtering MILnet routing updates We did it!!!! With considerable fear and trepidation, we removed the incoming access-list filters on the EGP routing update processes from the MILnet (DDN)!! Remember, our Cisco CSC/2 gateway router that supports the ORNL link to MILnet (DDN) only has 1 MByte of memory, earlier software versions for the CSC/2, prior to V.8.1(19) rendered the box useless without a heavy set of filters on the incoming updates because the DDN advertises nearly everything. Not sufficient memory with prior versions to handle it when the box does DDN X25, in addition to the usual gateway IP stuff. However, using the latest set of PROMs from Cisco with Version 8.1(19), the executing software runs out of ROM, not RAM thus saving considerable memory. For example, our access-list restricted the incoming EGP routing information content to about 450 nets, not the usual 1500 or so that the DDN advertises. Using 8.1(19), we freed up over 500 kbytes in the box!! That gave us the idea that we should take whatever information the incoming DDN updates would give us, all 1500 nets or so, use the same access list, BUT, put it on the outgoing IGRP process that sends the routing information to our "master router" at ORNL. Doing it this way, gives us the advantage of "seeing" all the nets that the DDN advertises, but allows us the decision to select those nets appropriate to route via the DDN (directly attached .mil nets plus those others that have primary DDN connections). The only disadvantage doing what we do, (running the CSC/2 out of ROM with V. 8.1(19), is that the operating system has a little slower access time, BUT, it makes little difference because the box only supports the 56 kbps DDN X25 serial line, in addition to its ether connection, and the ether connection is in a "protected environment". Even with IP Accounting turned on, taking the entire DDN routing updates, filtering only the subsequent IGRP outgoing updates to our "firewall", we still have 450-to-500 kbytes of free memory!! Free memory varies as nets appear and disappear off the DDN. We feel quite comfortable with that much free memory, and even if the DDN starts to advertise 2-3 times the number of routes that it currently does, we still should be in good shape! Thank you Cisco-- Lynn and Curt (hymanll@oreces.ctd.ornl.gov) (bemis@oreces.ctd.ornl.gov)