> Saku Ytti [mailto:s...@ytti.fi] > Sent: Monday, April 10, 2017 11:37 PM > > Some problems with LPTS > > a) LPTS punted packets are not subject to MQC, so you cannot use interface > policers to limit say say ICMP, BGP etc Yeah this is a huge mess up, taking the control away and not providing same level of granularity in LPTS.
> b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has > aggregate => ifd => ifl => sub I don't really see a need for hierarchical policers and besides the uKernel and RE policers are SW, only the LU has HW policer. > c) There is no log information of what is causing LPTS or XIPC to drop packets > Not sure what you mean you're getting no info or insufficient info? Cause although native LPTS alerting doesn't exist it can be done with a TCL script applied through EEM. > All this means, for example if you have 'bad' and 'good' customer sending > you say BGP (or ICMP6, or what ever). Maybe 'bad' customer has > L2 loop, and accidentally offers line rate of BGP. This means that your > aggregate BGP policer, BGP-known @ 2500pps is congested. If your 'good' > BGP is say 5pps and your 'bad' BGP is say 1.48Mpps, there is 99.5% probability > that any given BGP through that NPU will time out (1-(2500.0/1480010))**3). > Actually in this specific case I'm just thinking wouldn't the looped BGP session be subject to a more aggressive "Configured" policer as opposed to the "Established" policer. Hmm but even if it was, the session would have to time-out first so during the timeout period the "good" session could be affected/starved out. > If you manage to identify the culprit somehow (perhaps capturing NPU > counters), only thing you can do is add ACL to the offending interface > dropping all BGP packets, as ACL is subject to LPTS punted packets, even > though MQC is not. For obviously you cannot do this as pre-emptive > measure, so there is no proactive way to actually protect the box today. Yeah that's a bummer. But I think I read somewhere that there's a plan to introduce policing for ACL in XR, or something along those lines, but can't find it anywhere. adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp