>
Adam Vitkovsky
IP Engineer
T: 0333 006 5936
E: adam.vitkov...@gamma.co.uk
W: www.gamma.co.uk
This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of
this email are confidential to the ordinary user of the email address to which
it was addressed. This email is not intended to create any legal relationship.
No one else may place any reliance upon it, or copy or forward all or any of it
in any form (unless otherwise notified). If you receive this email in error,
please accept our apologies, we would be obliged if you would telephone our
postmaster on +44 (0) 808 178 9652 or email postmas...@gamma.co.uk
Gamma Telecom Limited, a company incorporated in England and Wales, with
limited liability, with registered number 04340834, and whose registered office
is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at
Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
-----Original Message-----
> From: Saku Ytti [mailto:s...@ytti.fi]
> Sent: Friday, March 25, 2016 5:50 PM
> To: Adam Vitkovsky
> Cc: Luis Balbinot; jnsp list
> Subject: Re: [j-nsp] Core network design for an ISP
>
> On 25 March 2016 at 19:42, Adam Vitkovsky
> <adam.vitkov...@gamma.co.uk> wrote:
>
> Hey Adam,
>
> > My understanding is that MX does not support(yet) "selective VRF
> > download" (don't know the juniper name for the feature) Anyways Cisco
> stopped using it as it was causing more problems than it solved.
>
> I believe Luis refers to FIB localisation introduced in 12.3:
> http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/f
> ib-localization-overview.html>
>
Hmm interesting concept -then with this feature enabled where would the VRF
filter be executed on FIB-remote PFE or FIB-local PFE?
>
> > Also since you folks talk about converged networks that is mixing services
> and internet on one network -have you tested how the kit performs in
> corner cases (DDoS), would love to hear your experiences.
>
> I've tried to punish MX in lab quite a bit and have found issues in ddos-
> protection behaviour, some very dramatic. But today, AFAIK, correctly
> configured MX is very robust against control-plane attacks, much more so
> than ASR9k. But out-of-the-box ASR9k is much better defended. And I've not
> yet read any lo0 filter anywhere which isn't fundamentally broken, including
> cymry secure templates.
>
Sorry I wasn’t clear I meant how the box performs when under DDoS attack.
But yeah I guess I know what you mean with regards to lo0 filters I've been
there, what I miss in Junos is the ability to say that only defined interfaces
can be used to access the box. So one has to be very careful with the filter
construction as well as understand the lo0 filter applicability rules posted
here recently.
adam
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
