On 11 April 2017 at 00:42, <adamv0...@netconsultings.com> wrote: > Nope ASR9k is using LPTS to cya :)
Some problems with LPTS a) LPTS punted packets are not subject to MQC, so you cannot use interface policers to limit say say ICMP, BGP etc b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has aggregate => ifd => ifl => sub c) There is no log information of what is causing LPTS or XIPC to drop packets All this means, for example if you have 'bad' and 'good' customer sending you say BGP (or ICMP6, or what ever). Maybe 'bad' customer has L2 loop, and accidentally offers line rate of BGP. This means that your aggregate BGP policer, BGP-known @ 2500pps is congested. If your 'good' BGP is say 5pps and your 'bad' BGP is say 1.48Mpps, there is 99.5% probability that any given BGP through that NPU will time out (1-(2500.0/1480010))**3). If you manage to identify the culprit somehow (perhaps capturing NPU counters), only thing you can do is add ACL to the offending interface dropping all BGP packets, as ACL is subject to LPTS punted packets, even though MQC is not. For obviously you cannot do this as pre-emptive measure, so there is no proactive way to actually protect the box today. And some newer IOS-XR platforms don't implement LPTS at all, even though you can configure it, it'll commit, and it may look casually like it's doing something. In summary LPTS is great out of the box, but impossible to configure right. JunOS is terrible out of the box, but possible to configure right, but no one does it, because it's too hard (I know I can't do it for all cases, like DHCP snooping). -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
