On 25 March 2016 at 21:39, Adam Vitkovsky <adam.vitkov...@gamma.co.uk> wrote:
>> I believe Luis refers to FIB localisation introduced in 12.3: >> http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/f >> ib-localization-overview.html> >> > Hmm interesting concept -then with this feature enabled where would the VRF > filter be executed on FIB-remote PFE or FIB-local PFE? I'm not big fan, due to the potential multiple NPUs involved in lookups and multiple fabric travels. I'm not intimately familiar with the feature though. > Sorry I wasn’t clear I meant how the box performs when under DDoS attack. Do you mean transit DDoS? With proper QoS, should be fine. > But yeah I guess I know what you mean with regards to lo0 filters I've been > there, what I miss in Junos is the ability to say that only defined > interfaces can be used to access the box. So one has to be very careful with > the filter construction as well as understand the lo0 filter applicability > rules posted here recently. You could use interface-groups, they are mutually exclusive with some forwarding filters though. I've previously used interface-groups to mark edge interfaces with 'privileged' access to control-plane, such like DHCP. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp