On 8 June 2016 at 00:00, Ross Halliday <ross.halli...@wtccommunications.ca> wrote:
Hey, > All kinds of problems happen, yes the only "real" safeguard is to put every > customer on their own PE. You might remember a previous conversation we had > regarding the DDoS Protection mechanism. This thing is a major thorn in my > side. Thanks to this "faster" design, when one of these filters kicks in, any > traffic matching that class on the ENTIRE box is blackholed. I don't think > this is appropriate behaviour: In my experience, it actually *creates* a DoS > situation on these boxes. It's pretty funny situation, IOS-XR out of the box probably has best in the market control-plane protection. Juniper has pretty non-existing. But for operator knowing how to configure it right, IOS-XR cannot be configured correctly, you'll always have to carry significant shared risks. Trio+ platforms, otoh, can be configured almost correctly, essentially with almost no shared risks. To put it bluntly, you configured the box incorrectly. Even if you had multiple linecards, you would have killed all of the traffic in the single NPU, so you'd have severe collateral damage anyhow. And if you had multiple MX104 (i.e multiple linecards) you'd have higher resiliency than multiple linecards in single chassis. You need to look into DDoS-protection, reduce the default aggregate pps rates significantly (there is built in policer for how much NPU can punt, and many DDoS protection protocols are higher rate than that). And crucially you need to make sure you have per-IFL ddos-protection set to sufficiently low number, so if one of your customers has L2 loop and pukes some trash on your control-plane, you'll only police that IFL, leaving all other IFL operating normally. > These routers have their place, they're definitely a Swiss Army Knife type of > machine, it's just that the handle is really small... I agree the control-plane is shite, it's not DFZ router because of that. But I don't agree on the single linecard design being liability, to me it's an advantage. Fabric and distributed design is hack we need, because technology isn't there to offer reasonable amount of ports with single chip. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
