On Fri, 8 Aug 2025 at 18:45, Nick Hilliard via NANOG <[email protected]> wrote:
> If Cisco have implemented a pps limiter of 50k/s, that's a lot of snmp > pps. Is this a realistic amount of requests to be properly serviced per > second? SNMP packet encapsulation / general handling is one thing, but > stats collection / intermediation can be more heavyweight. Bear in mind > that the failure modes in this sort of situation are often non-linear. In this case something less obvious is happening, OP isn't pushing 300 pps, yet the policer is firing. This could be a legitimate bug, might require a peek into what actually gets programmed into the BRCM. In PTX PE (Paradise) there isn't a PPS policer in the hardware, yet ddos-protection can only be configured as PPS. So as a compromise the developer decided to program (1500*8*pps) bps policer. So out of the box, standard configuration, the box will admit far too many small packets, more than the VoQ from ASIC -> LC_CPU can admit, congesting the whole VoQ, which is shared by most things. Unfortunately the user cannot change the 1500 into 64, nor can user decide which ddos-protocols go into which VoQ, making it very tricky to get reasonable punt results under poor weather. -- ++ytti _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/MGQJ3IHTTP4T6H2BFPTKVILRK6P5EPTM/
